ent Retention Requirements

Main Menu

 Getting Started
 Running The Organisation
o Meetings
o Financial Reporting Requirements
o Document Retention Requirements
 Winding Up
 When Things Change

This Site

 Home

Document Retention Requirements




The following outlines some frequently asked questions and answers about keeping records and
documents. Before you read them you should check:

 Your organisation's rules (constitution) to see if there is any provision about clients
having the right to inspect their own files or have their records retained;
 The organisation's rules, policies or resolutions passed by members requiring that the
organisation's records to be retained for specified period; and
 Funding agreements to see if they require records to be kept and retained.

This summary details some of the main record-keeping requirements but is not exhaustive. There
may be others that your organisation needs to comply with depending on the area your
organisation works in or contracts/agreements it has.

What documents does my organisation need to keep?

If your organisation is a society:

 maintain proper accounts and records of the transactions and affairs of the society for a
period of at least 5 years

If your organisation is a company

The Companies Act states that a company must keep accounting and other records that will:
  sufficiently explain the transactions and financial position of the company; and
 enable true and fair profit and loss accounts and balance-sheets and any documents
required to be attached thereto to be prepared from time to time, and
 be kept in such manner as to enable them to be conveniently and properly audited.

The types of records businesses need to keep include:

 Source documents that substantiate all transactions in your business - e.g. receipts,
invoices, vouchers, and other relevant documents issued or received from
customers/suppliers;
 Accounting records and schedules - manual or electronic records of assets and liabilities,
revenue and expenses, gains (profit) and losses;
 Bank statements; and
 Any other records of transactions connected with your business.

You are required to keep these records for 5 years.

If your organisation is a trust

Please retain and keep proper records of all income derived by the estate/trust and distributions
made to the beneficiaries for a period of seven years from the relevant Year of Assessment (YA).

For YA 2008 and each subsequent YA the record keeping period is reduced from seven to five
years. For information on the types of records, see the "What taxation records do we need to
keep?" section on this page.

If your organisation is also a charity

The Charities Act states that a charity must keep accounting records to:

 sufficiently show and explain all the charity’s transactions; and

 disclose at any time, with reasonable accuracy, the financial position of the charity at that
time; and
 prepare a required annual statement of accounts for submission.

The accounting records must contain:

 entries showing from day to day all sums of money received and expended by the charity
and the matters in respect of which the receipt and expenditure takes place; and
 a record of the assets and liabilities of the charity.

These records must be preserved for 5 years and the last trustees of the charity are obliged to
carry out this duty even where the charity ceased to exist within the 5 years.

Note: These requirements do not apply to exempt charities and charitable companies. For further
information on exempt charities please go to www.charities.gov.sg
If your organisation is also an Institution of a Public Character

An institution of a public character must maintain accounting records containing entries showing
—

 all the donations received and disbursed;

 details of all the income received and the expenses incurred;
 the extent to which the amount of donations received has met any target set by your
organisation; and
 the period during which your organisation is approved to collect tax deductible donations.

If your organisation is a fund that is approved to collect tax deductible donations for a limited
period or of a limited amount only, your organisation must maintain separate accounting records
for moneys received for the fund and shall comply with the limits to the approval period and to
the approved amount for donations to be collected.

An institution of a public character must maintain every accounting record for a minimum period
of 5 years from the end of the financial year to which the accounting entry relates.

All IPCs are required to post their financial and non-financial information online on the Charity
Portal.

What taxation records do we need to keep?

Generally records, receipts and other documentation you have used to prepare your
organisation's tax return, including written evidence to verify claims for deductions claimed,
must be kept.

If your organisation is a society you are exempted from income tax.

If your organisation is a company

Your company must maintain proper records of its financial transactions and retain the source
documents, accounting records and schedules, bank statements and any other records of
transactions connected with your business.

For accounting records and supporting documents relating to Year of Assessment (YA) 2007 and
the earlier YAs, your company must retain the records for a period of seven years from the
relevant YA. For YA 2008 and each subsequent YA the record-keeping period has been reduced
from seven to five years.

If your organisation is a trust

Please retain and keep proper records of all income derived by the estate/trust and distributions
made to the beneficiaries for a period of seven years from the relevant Year of Assessment (YA).
For YA 2008 and each subsequent YA the record keeping period is reduced from seven to five
years.

 Trade income - prepare statements of accounts according to accounting standards.

 Rental income - prepare statements of rental income and expenses.
 Dividend income:
a. Singapore - keep the original dividend statements issued by the nominee
companies or dividends vouchers for submission in respect of dividends paid on
or before 31.12.2007. All Singapore dividends paid on or after 1.1.2008 are tax
exempt in the hands of shareholders under the one-tier corporate tax system.
b. Foreign - make copies of dividend vouchers for submission.

If your organisation is a charity

With effect from the Year of Assessment 2008 all registered charities will enjoy automatic
income tax exemption without having the need to meet the 80% spending rule.In other words
you do not need to file income tax returns effective from the Year of Assessment 2008.

For information about tax-deductible donations, please go to IRAS website

If your organisation is an Institution of a Public Character

Some IPCs have been authorised to issue tax deduction receipts. Upon receiving the tax
deductible donations the IPCs should issue tax deduction receipts to the donors.

A tax deduction receipt should contain or incorporate the following information:

 This donation is tax deductible.

o For individual donors: This receipt is for your retention. You do not have to claim
the deduction in your tax form if you have given your NRIC/FIN number. The
deduction will be automatically included in your tax assessment.
o For other donors: Please retain this receipt for submission to the Comptroller of
Income Tax.
 State the name of the Sector Administrator, where applicable;
 Be serially numbered; and
 Be signed by either the treasurer of the IPC or by any person to whom such function is
delegated by its trustees.

IPCs can also use the electronic medium provided by the Inland Revenue Authority of Singapore
(IRAS) to issue the tax deduction receipts.

IPCs have to maintain a record showing the particulars of every tax deductible donation
received. The record should include the following items:

 the receipt number (in numerical sequence);

 the name of the donor;
  the identification number or corporate or business registration number of the donor;
 the date on which the donation was received;
 the type of donation received;
 the amount or value of the donation received; and
 any terms and conditions under which the donation was made.

These records must be kept for at least 5 years from the end of the year of assessment relating to
the year in which the donation was received.

What employee and volunteer records do we need to keep?

Code of Governance

It is obligatory for charities to disclose the extent of their compliance with the Code of
Governance. The Code of Governance provides these guidelines –

 Basic:

There should be documented human resource policies that cover areas such as
recruitment, wages, benefits, training, development actions, performance appraisal and
disciplinary actions, approved by the Board for paid staff and volunteers

 Enhanced:

Enhanced rules require additional layers of human resource management in managing

volunteers, reference checks, recruitment, performance appraisal, staff payment,
reimbursement of expenses, and training.

 Advanced:

Advanced guidelines address the further areas of insurance, feedback channels, conflict
resolution and exit policies.

CPF

Submitting contribution details by hardcopy:

The Record of Payment (Form CPF 90) should be kept for future reference. If you have
misplaced the Record of Payment and request a reprint a service charge will be levied.

Employment Act

Under the Employment Act every employer shall prepare and keep a register showing the

 name;
  address;
 the basic rate of pay and allowances;
 the amount earned;
 and the amount of deductions made from the earnings of each employee employed by
him; and
 such other particulars as may be prescribed from time to time.

The Commissioner may require any employer to forward to the Commissioner a return giving
the particulars requested.

Please refer to the MOM website for more information on who is covered under the Employment
Act.

Workplace Safety and Health

Under the Workplace Safety and Health Act the occupier must keep the following records in the
workplace:

 every document issued in respect of the workplace by the Commissioner for Workplace
Safety and Health under the provisions of this Act;
 a copy of every notice furnished to the Commissioner as required under this Act; and
 all reports and particulars prepared in respect of the workplace under this Act.

These records are required to be kept for 5 years.

Incident reporting:

An incident report must be submitted to the Commissioner of Workplace Safety and Health for
all accidents, dangerous occurrences and occupational diseases. Employers and occupiers are
required to keep a record of all incident reports for three years. It is an offence to fail to make an
incident report as required by the law.

Please visit the MOM website for more information.

What records do I need to keep when conducting public

fund-raising appeals?
For every organisation

Note: These requirements do not apply to exempt charities and Institutions of a Public Character.

A charity, commercial fund-raiser or person conducting a fund-raising appeal must maintain

accounting records which shall contain entries showing —

 all the donations received and disbursed; and

  details of all the income received and the expenses incurred.

Every accounting record must be maintained for a minimum period of 5 years from the end of
the financial year to which the accounting entry relates. Total expenses incurred on public fund-
raising appeals in a financial year must not exceed 30% of total donations collected through the
public appeals in that year.

If you are an Institution of a Public Character

Records of all donations must be kept. (See the section: What documents does my organisation
have to keep?). If the donations are tax-deductible there are additional requirements. (See the
section: What taxation records do we need to keep?). If the total gross receipts from any single
fund-raising appeal are not less than $1 million the institution of a public character must —

 maintain separate financial accounts in respect of that fund-raising appeal; and

 at the end of the financial year, disclose on its own Internet website or, where it does not
have its own Internet website, on the Internet website of the Sector Administrator —
o the total gross receipts from the fund-raising appeal;
o the total expenses incurred in the fund-raising appeal; and
o the purposes for which the funds raised in the fund-raising appeal were used or
will be used.

Total expenses incurred on public fund-raising appeals in a financial year must not exceed 30%
of total donations collected through the public appeals in that year.

Do you know of any actual or threatened legal proceedings

against the organisation or any of its clients?
You are required to retain any document or electronic record which you may be lawfully
compelled to produce as evidence before a court of justice or in any proceeding lawfully held
before a public servant.It is a criminal offence to tamper documents in order to prevent them
from being use as evidence.

Typically an action can be brought against a person or entity within 6 years of the cause of
action, for example a breach of contract or an act of negligence. Any legal documents that may
be relevant if legal action was to be taken (but is not actual or threatened), for example contracts,
should be kept for atleast 6 years.

Can I keep records in electronic form?

Any document, record or information can be retained in the form of an electronic record if the
following conditions are satisfied:

 the information contained remains accessible so as to be usable for subsequent reference;

  the electronic record is retained in the format in which it was originally generated, sent or
received, or in a format which can be demonstrated to represent accurately the
information originally generated, sent or received;
 information enabling the identification of the origin and destination of an electronic
record and the date and time when it was sent or received, is retained; and
 any additional requirements relating to the retention of such electronic records specified
by the public agency which has supervision over the requirement for the retention of such
records are complied with.

If the document, record or information is required by law to be retained in its original form, they
can be retained in the form of an electronic record if the following conditions are satisfied:

 there exists a reliable assurance as to the integrity of the information contained in the
electronic record from the time the document, record or information was first made in its
final form, whether as a document in writing or as an electronic record;
 integrity is assessed by whether the information has remained complete and unaltered,
apart from the introduction of any changes that arise in the normal course of
communication, storage and display in the light of the purpose for which the information
was generated and the relevant circumstances;
 if the document, record or information is to be provided to a person, the electronic record
that is provided to the person is capable of being displayed to the person; and
 any additional requirements relating to the provision or retention of such electronic
records specified by the public agency which has supervision over the requirement for the
provision or retention of such records are complied with.

Are we required to have a document retention policy?

If your organisation has no policies currently in place regarding the retention and amendment of
employment records and other documents you should develop such policies as a matter of good
governance, and have regard to:

 the type of information to be retained by the organisation;

 the purpose for which that information is retained;
 the means of accessing, and if necessary altering, the retained information; and
 the timeframes for retention and what happens to files once this timeframe has expired.
of

Documents

Document control is core to ISO 9001, and is common to all the other management standards.

From ISO 9001:2008:

“Documents required by the quality management system shall be controlled.”

It is one of the six procedures that you must document in ISO 9001:2008.

In the new version, ISO 9001:2015, there’s no longer a requirement to document the procedure,
but the requirements regarding control are much the same. The other difference is that
‘documents’ is now broadened to ‘documented information’, which includes what used to be
called ‘records’.

Writing down what you do will make it much easier to train new staff and to audit the process, so
even though it’s no longer a required procedure in ISO 9001:2015, we’d recommend you still
document the process.

So
what
are
the
“controls
needed”?
Answer these questions in your documented procedure and you’ll satisfy the requirements for
ISO 9001 Document Control:

When a new document is found, or is created, how is it approved for release? – who reviews
and approves them? How will I know a document has been approved?

How is documented information identified? – Do you specify titles, numbering, dates? Can a
document be referred to without any confusion?
How will you provide access to released documents everywhere it’s needed? – Can everyone
to get them from the server? What about workers on the shop floor, out on site, on the road? Will
they need hard copies, or some other offline distribution method?

How do you protect the documented information from unauthorised changes, or loss? –
Can anyone edit and delete the files? Do you have master copies stored safely? What about
backups?

When changes are made, how do you identify them? – How will people know if they do, or
don’t, have the updated information? How will I know what has changed between this version
and the latest release? How do I know what version my copy is, or the version of this paper copy
I found?

How do you review, update and re-approve documents? – Do you review on a regular basis
to make sure the information is still correct? Who does the review? How often? Who is
responsible for making changes? How is an updated version approved?

How do you find and control documents from external sources? – e.g. relevant standards,
legislation, supplier product specifications. ‘Control’ being all the previous questions on
approval, review, updates, access…

How do you prevent the use of obsolete documents? – How will you make sure that ONLY
current documents are in use? Are there hard copies to update? How do you keep track of them?
Will you make end users responsible for checking the status of their hard copies before each use?
Will you delete/destroy old documents? How will you identify/segregate/archive obsolete
documents you might want to keep?

Enough
with
the
questions
–
how
about
some
answers!
So what do you need to do, in a practical sense, to control documents?

#1 – put some control information on the document itself – on every controlled document.

Some information will go at the front of the document, and some needs to be on every page
(usually in the footer),

Here’s an example of a basic header:

Title 4.2.3 Control of Documents

Person Responsible Management Representative

Date Last Updated 3 March 2012

Status Released

Location Quality Systems Toolbox

This header shows what document I’m looking at (‘4.2.3 Control of Documents’), and answers
the questions on how to tell this document has been approved (‘Released’), and the version (‘3
March 2012’), who is responsible for approving it (‘Management Representative’), and where to
find it (‘Quality Systems Toolbox’)

Here’s an example footer showing information that should be on each page of the document:

4.2.3 Control of Documents Revision Date: 3 March 2012 page 1 of 2

Why on every page?

 the number/name of the document – so you know what it is and can find the master copy, even
if the first page is missing. Some people use the file path or URL of the master copy. e.g.
“G:\Documents\ControlDocuments.doc”, or
“https://demo.qualitysystems.com/documents/control-of-documents”
 the revision date or number – so you can easily check to see whether the copy you have is the
latest, even if the first page is missing, or your different (paper) versions get mixed up.
 page numbering “page x of y” – so it is easy to see if you are missing a page

#2 Nominate a single place to keep master copies and a register of documents

This is where end users will go to check whether the version they have is the latest version. It
may also be the place where they access the documents they need.

In the past, this would have been paper master copies kept in the office, or on the document
controller’s hard drive. Access to the documents was through a ‘gate keeper’ person. More
commonly now it is a file server, or online (e.g., for Quality Systems Toolbox) and access is
granted through user accounts, permissions and passwords.

The documents register is simply a list of all the documents you control. You’ll need one to keep
track of all your management system documents and it helps you to know what needs to be
reviewed. Ideally the register will include the title, revision info (date or number or both), status
(draft, released, etc.) and who is responsible for the document (a name and/or a job title).

e.g.,

Number Title Revision Number Revision Date Document Owner Status

MSP-01 General Requirements 2.0 13 March 2013 Jill Jones Released

FORM-01 Purchase Order 1.0 6 Sept 2008 Bookkeeper Released

POL-03 Health and Safety Policy 3.0 22 June 2011 WHSO Released

POL-04 Drugs and Alcohol Policy 0.6 5 May 2013 Michael Draft

Paper-based registers are hard work – each time you update a document you must also update the
register – often striking out the old line and adding a new line. Spreadsheet based registers are
not much easier to maintain but at least they allow sorting and searching. Online database
document systems are easier, since updating the information stored with the document itself
should flow through to the register, and sorting documents, searching and creating custom lists
(e.g. show all ‘forms’) are usually possible.

#3 Establish (and document) the process

This is where you answer those other questions.

Approval: Approving new and edited procedures is best spread around, and approval by the
process owner makes the most sense – e.g. the Sales Manager will approve sales related
processes. Management system documents (like the procedure for document control), will be the
responsibility of the Management Representative. The actual editing of the document may be
delegated to someone else.

The process of releasing a new document or update can be as simple as making the document
available at the designated central location – either adding it to the repository or changing the
permissions to make it available. Notification of the new release to relevant people is usually a
good idea, but be wary of sending every new document notification to everyone in your
organisation – too many notifications means they will all be ignored.

It is good practice to have some indication on the document itself so that the status of hard copies
can be easily determined, e.g. ‘Released’ in the header example above, an approval signature and
date added to the footer of a master paper copy.

Review: You need to review documents regularly to make sure they are up-to-date, suitable and
still reflect your practices. If the practice has changed (for the better) then the document should
be updated, rather than enforcing the old practices from the out-of-date document. Your review
will include checking for changes in standards, regulations, specifications and other external
documents. How often will depend on the process – how important it is and also how new and
changeable it is. Some documents have regulations stipulating how often they must be reviewed
e.g. MSDS must be less than 5 years old. Some of this will be incorporated into Internal Auditing
and Management Review, but make sure all your documents are covered (check the document
register).

Changes: In file-server and paper-based management systems, changes are usually tracked in a
table on the document itself. Sometimes this can be stored external to the document in the
register. Document Management software will usually store the change information in the
database, and a changes table is not required on the document itself.

The document itself should indicate it’s revision status (on the hard copy).

Access: These days, access is usually via logging on to the file server or online document
repository. However, don’t assume this is enough for all situations. The practicalities of
accessing the computer may be difficult/impossible for some locations or some personnel and
you may have to distribute hard copies in these cases. Keep track of where hard copies go for
future reference when updates need to go out and you need to remove the obsolete versions.

External Documents: Finding new external documents required for your business will come
about during normal operations as well as through management review. Control processes are the
same as for internal documents.

Obsolete documents: Keeping a distribution list for hard copies will help you track down the
old copies that must be removed. It’s also common to put the onus on the end user to check their
version against the version shown in the document register or the current version in the central
repository.

>> Take a look at Document Control with Quality Systems Toolbox

Resources
 ISO 9001 Timeline - Implementation and Ongoing Management
 Non-conformance
 Corrective Action
  Preventive Action
 History of ISO 9001
 The six required procedures of ISO 9001
 Records required by ISO 9001
 Using Process Maps
 Supplier Management
 Control of Documents
 Environmental Management Accounting
 Training, Awareness, and Competence
 Hierarchy of Controls
 Integrate Quality and Safety Management
 Problem solving with the '5 Why 1 How' technique
 Records for Safety Management
 Risk Management
 Management Review
 Meeting Tactics
 Planning for Quality - System
 Business Planning techniques
 Planning for Quality - Product / Service
 Calibration
 Internal Audits
 Process Improvement - 5S
 Inspection and Test Plans
 Managing Legal and Regulatory Requirements

 Zero to 9001
o Zero to 9001 - the pathway to ISO 9001 accreditation
o 1. Just thinking about ISO 9001
o 2. I need some more info on ISO 9001 - costs, time, resources.
o 3. Getting Started with your ISO 9001 Quality Management System
o 4. Managing people, competencies, and training needs.
o 5. Managing Customer Requirements
o 6. Plan Logistics
o 7. Managing Production or Service Delivery Processes
o 8. Corrective and Preventive Action
o 9. Auditing
o 10. Management Review
o 11. Call in the External Auditor
 Management Review
 Cost of Quality
o Cost of Quality
o Cost of Poor Quality
o Cost of Good Quality
o Hiring a full-time Quality Manager
o Quality Management Systems - Paper versus Web

Jump to:
ISO 9001:2015

Take a look at our Toolbox, a complete online Quality Management System - no more
paperwork !!

The

six

required

procedures

of

ISO

9001

ISO 9001:2008 requires “documented procedures” for the following six activities:

 Control of documents (4.2.3)

 Control of records (4.2.4)
 Internal audit (8.2.2)
 Control of nonconforming product (8.3)
 Corrective action (8.5.2)
 Preventive action (8.5.3)

Of course, these documented procedures will have to be controlled according to the first
procedure listed (Control of Documents).

Any more is up to you. You must determine what further documentation is required in your
company for your Quality Management System to function effectively.

ISO 9001 also specifies required records.

ISO
9001:2015
ISO 9001:2015 does not require any documented procedures, and there are only three pieces of
required documented information that must be “maintained”:

 the scope of the quality system

 your quality policy
 your quality objectives

As far as procedures go, the standard now states:

“The organization shall maintain documented information to the extent necessary to support the
operation of processes”

So it’s up to you work out what is needed and how you want to document it.

On the other hand, there is still plenty of documented information that must be “retained” (i.e.
records).

ISO 9001 requires records to be kept on certain activities.

This is part of proving that you ‘do what you say’. These records are also important for making
fact-based decisions on issues in your company.

Here are the activities for which records must be kept:

 Management Review Meetings – minutes (5.6.1)

 Training records (6.2.2)
 Product realization – evidence that requirements are fulfilled (7.1)
 Sales activities where the customer requirements are reviewed, including enquiry &
quotation, order receipt, order processing, order changes.(7.2.2)
 Design and development – inputs, reviews, verification, validation, changes (7.3)
 Supplier Evaluations (7.4.1)
 re-validation of Special Processes (7.5.2) (processes where parameters are controlled e.g.
temperature, rather than controlling the product)
 Unique product ID records – (e.g. serial / batch number) if traceability is required (7.5.3)
 Customer property – lost, damages or unsuitable for use (7.5.4)
 Calibrations (7.6)
 Internal Audits – findings and actions (8.2.2)
 Product checks – throughout process and for final release, including ‘who’ (8.2.4)
 Non-conformances (8.3)
 Corrective actions (8.5.2)
 Preventive actions (8.5.3)

A detailed list is available from iso.org in Annex B of this page.

An audit is simply another form of inspection and testing – except that in this case the product
being inspected is the management system itself.

Like a product inspection, an audit simply compares how things actually are, to how we think
they are and how they ought to be.

Audits help uncover areas that are in need of attention and they can be an opportunity to draw
back from the day-to-day details and to take look at the whole process with fresh eyes. Despite
being such a (potentially) positive tool in the management system toolkit, audits often induce the
same kind of stress as end of year exams!

Obviously a great deal rides on a successful external audit so some anxiety is expected.
However, a good Internal Audit process can reduce the stress, since you can uncover the
problems yourself and resolve them before the external auditor begins.

We suggest you enrol in a professional development course before jumping into the role of
Auditor. An alternative is to use an external consultant to perform your internal audits for you.

Quality, safety and environmental management standards all require audits to monitor and report
on the effectiveness of the management system. This process is also one of the six documented
procedures required by ISO 9001:2008.

A documented procedure shall be established to define the responsibilities and requirements for
planning and conducting audits, establishing records and reporting results.

You are also required to keep records.

What
does
an
internal
audit
process
look
like?
Each company will have their own particular method, but it will generally follow the same
process.

Plan
your
Audit
Programme
Internal Audits need to be scheduled at planned intervals to check that the quality system
conforms to requirements and that the system is effective. ‘Requirements’ include the standard
itself, as well as the company’s own requirements (i.e., it’s own procedures and policies).

You don’t need to audit every process all at one time. The External Audit may be like this, but
internal audits can be spread out with different processes audited at different times – a series of
‘mini-audits’.

The standard does not set out a required audit frequency. Instead, it recommends that you
consider how important the processes are, their risks, their prior history of problems, and also
your quality objectives. With a series of ‘mini-audits’ you can set different audit frequencies for
different processes.

If you are implementing a new management system, we recommend that you should have
audited all the processes identified in your management system at least once prior to the initial
Certification Audit.

Work
out
who
will
audit.
An auditor should be objective and impartial. You cannot audit processes that you manage /
control yourself. This means you will need to have at least two internal auditors trained and
available. However, due to lack of resources, or sometimes with the crossover of responsibilities
that is common in small businesses, having two impartial auditors may not be possible. In this
case, you may need to consider using an external resource.

Large organisations may use a team of auditors.

Define
the
requirements
for
each
audit.
The plan already identifies the area you will audit, now you need to define what criteria you will
audit against. Sometimes this takes the form of a formal checklist with a pre-determined list of
questions. You can also use a copy of the procedure being audited and mark this up with
questions and points to verify. You’ll need to identify what records should be checked to verify
the process.

Any previous findings or issues related to the audit area should also be checked.

Even with pre-defined questions, an auditor will still need to ‘follow their nose’ if something is
not quite right.

You can define the criteria for the audit prior to each audit rather than having to set this up at the
planning stage.
These requirements (checklists, documents, records, etc) should be communicated to the auditee
some time prior to the actual audit taking place. (Specify the time in your audit procedure – a
week is reasonable)

Conduct
the
audit
An audit usually starts with an opening meeting where the auditor meets the auditee(s), sets the
expected timetable and out how the audit will be conducted.

During the audit, the auditor will work systematically through the checklist or procedure,
examining evidence that the process meets the criteria. It’s common to markup the checklist with
notes and a quick finding result, e.g.,
C = compliant,
NI – needs improvement,
NC – non-conformance,

When recording the audit, it is important to write down exactly what evidence was examined to
establish the finding – regardless of the finding. e.g. auditing employee training records the
auditor writes:

(Note that the date is an important part of the evidence).

Usually the auditor will discuss the finding with the auditee before recording it. This is to ensure
the finding is understood and to confirm there is actually a problem, e.g. the auditee above may
reveal that Joe Bloggs’ personnel folder includes a separate safety briefing record with the
required signature. This can sometimes negate the finding, or just change it – i.e. the signature is
there, but it is not following the procedure. In this example, the consequences of not following
the procedure are minor and the audit finding should reflect that.

The audit will finish with a closing meeting where the lead auditor gives an overall summary of
the audit and discusses each audit finding to ensure they are understood.

Document
the
Audit
findings
An external certification auditor will submit a formal written report on the audit to management
several days later and it’s common for an internal auditor to do the same. However, there’s no
requirement in the standard for a formal audit report. You simply need to ensure the findings are
recorded and communicated to management. You could just record the findings and their details
in your non-conformance form & register (or as an ‘Issue’ in QSToolbox).

You will need to retain records of the audit which will typically include:

 Completed Audit Checklists and/or marked up procedures

 Notes on objective evidence examined, and personnel interviewed
 Audit Findings (cross referenced to your Nonconformance Register)
 Audit Report

Take
Action
on
those
findings!
Findings raised at both Internal and External Audits need to be addressed with corrective actions.
If the audit reveals that we don’t do as we say, then we either change what we do, or change
what we say…
At the next audit, the auditor will verify that the corrective actions taken were effective in
bringing the management system into compliance.

More
info…
Have a look at the auditing process using QSToolbox.

The ISO Standard ISO 19011 has guidance on auditing. It sets out requirements on training and
experience for auditors, and requirements for how audits should planned, conducted and
recorded.