CONSULTANT AND TRAINING CENTRE SDN BHD

(1089456-K)

INTERNAL AUDITOR TRAINING

Table of Content
1. Introduction to Auditing
2. Process Approach & Process Auditing
3. Managing Audit Programme
4. Auditing Activities
5. Competency & Responsibilities of Auditor
6. Conclusion

1. Introduction to Auditing

What is an audit ?
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the extent
to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)

an evidence gathering process

Why audit ?
Requirement of ISO 9001:2015
Monitor and measure the management
system
Promote continuous improvement of
the management system

Promote continuous improvement of the management system

Principle of Auditing
Principles relating to auditors:
Ethical conduct
Fair presentation
Due professional care
Principles relating to audit:
Independence
Evidence-based approach
Note: reference to ISO 19011:2002 Clause number 4.0

Benefits of Auditing
Verifies conformity to requirements
Increases awareness and understanding
Provides a measurement of effectiveness of the
management system to top management
Reduces risk of management system failure
Identifies improvement opportunities
Continuous improvement if performed regularly

Type of Audit
First-party (internal
audit)
Second-party
(external audit)
Third-party (external
audit)
Workshop 01

Answers for Workshop 01-Type of Audit

First-party audit
Organizations use first party audits to audit themselves.
First party audits are used to confirm or improve the effectiveness
of management systems. They're also used to declare that an
organization complies with an ISO standard
(this is called a self-declaration).
Of course, such a declaration is credible only if first party auditors
are genuinely independent and free of bias.
If you decide to use first party auditors to make a self-declaration
of compliance, make sure that they aren't auditing their own work.

Answers for Workshop 01-Type of Audit

Second-party audit
Theyre usually done by customers or by others on their behalf.
However, they can also be done by regulators or any other external
party that has a formal interest in an organization.

Answers for Workshop 01-Type of Audit

Third-party audit
Theyre performed by independent organizations such
as registrars (certification bodies) or regulators.

2. Process Approach & Process Auditing

Process Approach
The process approach emphasize the importance of :
Understanding and meeting requirements
Looking at processes in terms of added value
Obtaining results of process performance
Continual improvement of process

Process Approach

The process approach emphasize the importance of :

Understanding and meeting requirements
Looking at processes in terms of added value
Obtaining results of process performance
Continual improvement of process

PDCA (Plan-Do-Check-Act)
ACT
How to
improve next
time?

CHECK
Did things
happen according
to plan?

PLAN
What to do?
How to do?

DO
Do what was
planned

Workshop 02

PDCA (Plan-Do-Check-Act)
Continual Improvement
of QMS
C
U
ST
O
M
ER

RE
Q
UI
RE
M
E
N
TS

LA
P
N

input

Information flow

AC
T
Measurement,
Analysis,
Improvement

Resource
Management

Value-adding activities

Management
Responsibility

D
Product
Realization

EC
H
C
K Product
output

SA C
U
TI
SF ST
O
A
CT M
IO ER
N

PDCA (Plan-Do-Check-Act)
PDCA (plandocheckact or plandocheckadjust) is an
iterative four-step management method used in business for
the control and continuous improvement of processes and
products.
It is also known as the Deming circle/cycle/wheel, Shewhart
cycle, control circle/cycle, or plandostudyact (PDSA).

By Wikipedia

Management System Standards vs

the Process Approach
ISO 9001:2015 :
Is based upon the PDCA cycle which can be applied to
processes
Applies the PDCA cycle to implementing, operating,
monitoring, exercising, maintaining and improving the
effectiveness of a QMS
ISO 19011:2002 does not explicitly mention process audits,
but is written for application to all management system
audits

Applying the Process Approach

Auditors can apply the process approach to auditing by
ensuring the auditee:
Can define the objectives, inputs, outputs, activities, and
resources for its processes
Analyzes, monitors, measures, and improves its
processes
Understands the sequence and interaction of its
processes

Process Auditing Approaches

Individual Process:
Input / Output / Value-added Activity
Plan-Do-Check-Act
Resources
Relationship with other processes:
Flow / Sequence / Linkage / Combination
Interaction / Communication
Evidence
Customer and supplier contract(s)

Process Auditing Turtle Diagram

Workshop 03

Answers for Workshop 03-Turtle Diagram

Workshop 03

3. Managing Audit Program

Managing an Audit Program Process Flow

CHECK

DO

PLAN

ACT

AUTHORIZE

OBJECTIVES
EXTENT
ROLES
RESOURCES
PROCEDURES

MONITOR &
REVIEW

IMPLEMENT

ESTABLISH

SCHEDULE AUDITS
EVALUATE
AUDITORS
ELECT TEAMS
DIRECT ACTIVITIES
MAINTAIN RECORDS

AUDITOR
COMPETENCE
& EVALUATION

MONITOR
REVIEW
IDENTIFY NEED FOR CA/PA
IDENTIFY OPPORTUNITIES
TO IMPROVE

SPECIFIC AUDIT
ACTIVITIES

IMPROVE

Audit Activities
PLAN

Initiating the Audit

Conducting Document Review
Preparing for On-site Activities

DO

Conducting for On-site Activities

Preparing, Approving, Distributing Audit Report

CHECK

Completing the Audit

ACT

Completing Audit Follow Up

Workshop 04

Audit Program
Top management should authorize responsibility for
program management to:
Establish, implement, review, and improve the audit
program
Identify the necessary resources and ensure they are
provided
Organization should develop audit program processes
Program should be managed by a member of the
organization
Keep appropriate audit records to monitor and review the
audit program

Initiating the Audit

Initiating the audit includes:

Appointing the audit team leader

Defining audit objectives, scope, criteria
Determining feasibility of the audit
Selecting the audit team
Establishing initial contact with the auditee

Defining Audit Objectives, Scope, Criteria

Audit Objectives may include:
Determining of the extent of conformity of auditees QMS with
audit criteria
Evaluation of capability of QMS to ensure compliance with
statutory, regulatory, and contractual requirements
Evaluation of effectiveness of the QMS to meet its objectives
Identification of areas of improvement

What is the difference between audit

scope and audit criteria?
Audit Scope extent and boundaries of an audit.
The audit scope generally includes a description of the physical
locations, organizational units, activities and processes, as well as
the time period covered.
Its tells :
when audit shall be conducted (start and end date)
what/who are we going to audit
where the audit shall be done
Audit scope shall be derived from the QMS Scope.

What is the difference between audit

scope and audit criteria?
Audit Criteria set of policies, procedures or requirements.
Audit criteria are used as a reference against which audit evidence is
compared.
It tells
what we are going to check (or audit) the conformance.
what are the requirements of the audit.
Audit criteria could be a combination of the following
ISO requirement (example ISO 9001, ISO 27001, ISO 14001, etc,)
Statuary or Regulatory Requirement
Organization Process/Policies/Procedures, etc.
Customer Requirement

What is the difference between audit

scope and audit criteria?
Example:
A company located at Selangor and Muar, is certified to ISO
9001 & ISO14001
Audit Scope ? Audit Criteria ?

What is the difference between audit

scope and audit criteria?
Audit Scope :
Location: Selangor and Muar
When: 24-March-2014 26-March-2014
Who: All the departments/functions within the organizations.
Audit Criteria :
ISO 9001 & ISO 14001
Statuary or Regulatory Requirement related to the business in
which the company is.
Organization Process/Policies/Procedures, etc.
Customer Requirement

Selecting the Audit Team

For Team size and competence, consider:
Audit objectives, scope, criteria, and duration
Whether audit is combined or joint
Competence of team to meet objectives
Statutory, regulatory, contractual and
accreditation/certification requirements
Independence of the team

5. Auditor Competence & Responsibilities

Auditor Competence
Auditor competence is based on:
Personal attributes
Application of knowledge and skills
Competence is to be developed, maintained, and
improved

Workshop 05

Auditor Competence
SELFRELIANT

OPENMINDED

PERSONAL
ATTRIBUTES

ETHICAL

DIPLOMATIC

DECISIVE

TENACIOUS

OBSERVANT

VERSATILE
PERCEPTIVE

Auditor Competence
Auditor skills and competence could include:
Audit principles, procedures, and techniques
Management system and reference documents
Organizational situations
Laws, regulations, and other requirements

Auditor Competence
Specific knowledge and skills for quality auditors
could include:
Quality methods and techniques
Quality terminology
Quality management tools and their application
Processes and products/services specific to the
sector being audited

Auditor Responsibilities

Arrive on time
Maintain confidentiality
Be objective and ethical
Support the audit team and team leader
Plan and prepare work documents
Inform auditees of the audit process
Document and support all findings
Keep auditee informed
Safeguard all documents
Prepare the audit report

Audit Activities (Contd)

Audit Planning

Determine the objective of the audit

Identify specified requirements
Determine audit duration and resources needed
Select the team
Contact the auditee agree the date(s)
Draw up audit plan
Brief the team
Prepare work documents

Conducting Document Review

A review of documentation:
Should be conducted prior to on-site audit activities
unless deferring review is not detrimental to the
effectiveness of the audit
May include relevant QMS documents, records, and
previous audit reports
May include a preliminary site visit

Prepare Work Documents

A review of documentation:
Should be conducted prior to on-site audit activities
unless deferring review is not detrimental to the
effectiveness of the audit
May include relevant QMS documents, records, and
previous audit reports
May include a preliminary site visit

Conducting Document Review

Prepare work documents
Use as a reference and for recording audit proceedings
Include checklists, sampling plans and forms, ISO 9001:2008
standard, etc.
Keep checklists flexible to allow changes resulting from
information collected during the audit
Safeguard any confidential and proprietary information
Retain work documents and records

Conducting Document Review

A review of documentation:
Should be conducted prior to on-site audit activities
unless deferring review is not detrimental to the
effectiveness of the audit
May include relevant QMS documents, records, and
previous audit reports
May include a preliminary site visit

Checklists Preparation
One Approach is to:
Identify audit scope and process(es) within scope
Identify applicable factors (inputs, outputs, measures,
resources, etc.)
Use these points and other requirements
(ISO 9001:2015, system documentation, etc.) to:
Plan what to look at
Plan what to look for (audit evidence)
Prepare checklist
Workshop 06

Checklists Structure
Audit checklist structure
PROCESS / ACTIVITY AUDITED:
REQUIREMENT

ISO 9001:2008
Clause No.
or other
requirement

SOURCE

What to
Look At

EVIDENCE

What to
Look For

NOTES

Conduct on-Site Audit Activities

Conduct opening meeting

Communicate during the audit
Explain roles and responsibilities of participants
Collect and verify information
Generate audit findings
Prepare audit conclusions
Conduct closing meeting

Opening Meeting
Hold opening meeting with auditee top management and
those responsible for processes audited
Meeting may be informal
Chaired by team leader
Audit team present
Purpose is to confirm all prior arrangements

Workshop 07

Collecting and Verifying Information

SOURCE
of Info
Collect by
appropriate
SAMPLING &
VERIFICATION
EVALUATE
against audit
criteria
REVIEW

CONCLUDE

Collect & Verify information

Collect information relevant to:
Audit objectives, scope, and criteria
interfaces between functions, activities and processes
Collect audit evidence by appropriate sampling and verify
and record it
Be aware on sampling limitations, if acting on the audit
conclusion
Use only information that is verifiable as audit evidence

Techniques to Obtain Audit Evidence

Interview:
Personnel that manage, perform, and verify activities
Also ensure they are responsible for the activity being
audited
Listen carefully to responses
Observe:
Identity, status, condition, processes, equipment,
activities, environment, and people

Audit Evidence
Review documents that describe:

Activities
Plans
Controls
Strategies
Exercises
Tests

Review records for evidence of conformity to documents

Review records, statements of fact, or other information
which are relevant to the audit criteria and verifiable
Audit evidence may be qualitative or quantitative

Communication & Interpersonal Skills

Put auditee at ease
Ask short questions and listen
Reflect right attitude, tone of voice, body language, and
facial expressions
Smile and show eye contact
Avoid interruptions
Avoid off-cuff and condescending remarks
Give praise when appropriate

Communication & Interpersonal Skills

Show interest
Be tactful and polite
Show patience and understanding
Remember to say please and thank you
Ask the right person
Don`t say you understand when you do not

Conducting Document Review

A review of documentation:
Should be conducted prior to on-site audit activities
unless deferring review is not detrimental to the
effectiveness of the audit
May include relevant QMS documents, records, and
previous audit reports
May include a preliminary site visit

Questioning Technique
Open question
Using why, who, what, where, when, or how gets more
than a yes or no answer
Expansive question
Further elaborates the current point
Opinion question
Asks opinion about current point
Non-verbal
Uses body language, for example: raise eye-brow to
elicit further information

Questioning Technique
Repetitive question
Repeats back response in form of a question
Hypothetical question
Uses what if, suppose that, etc.
Closed question
Gets yes or no answer
Avoid using too often
Used for confirmation
Silence
Draws more information

Note Taking
Notes could be used as reference for:
Immediate investigation
Investigation later
Use by a colleague
Subsequent audits
Notes taken during an audit are a record of:
The audit sample taken
What was reported
What was observed
Notes may be referenced by subsequent auditor

Control of the Audit

Checklist is an aid, not a requirement
If potential audit trails appear, decide to:
Disregard
Note for later
Follow up immediately
Following audit trails may effect:
Sample size
Audit plan

Handling Difficult Situation

Uncooperative
Cannot find
document

Volunteered
Information
Unprepared

Long
telephone calls

Constant
interruptions

Long
auditees

Diversionary
tactics

Interdepartmental
/ Personality
conflicts

Boastful
Called away
Language

Provocation
Noisy
environment

Workshop 07

Establish the Facts

Judgment in the Audit Process
Audit focus must be on conformity and effectiveness,
NOT on finding nonconformities
The auditee must be given the benefit of any doubt where
there is insufficient audit evidence

Establish the Facts

Discuss concerns
Verify the findings
Record all the evidence:
Exact observation
Where, what, etc.
Establish why a nonconformity or otherwise
State who (if relevant) preferably by job title
Obtain agreement with the facts

Generate Audit Findings

Evaluate audit evidence against audit criteria to generate
audit findings
Indicate if findings are conformities, nonconformities or
opportunities for improvement
Meet (audit team) to review findings
Specify (with supporting evidence) or summarize
conformity by location, function, or processes, as
required by audit plan

Nonconformity
Non-fulfilment of a specified requirement:
Not doing it
Partially doing it
Doing it the wrong way
Specified requirement:
Conditions of the customer contract
Quality standard (ISO 9001:2015)
Quality management system
Statutory or regulatory requirements

Generate Audit Findings

Record nonconformity findings and supporting evidence
Obtain auditee acknowledgement of nonconformities for
accuracy and understandability
Try and resolve differences of opinion
Keep a record of unresolved issues

Nonconformity - MINOR
Failure to comply with a requirement which (based on
judgment and experience) is not likely to result in QMS
failure
Single observed lapse or isolated incident
Minimal risk of nonconforming product or service
Examples:
A two month lapse in the internal audit program
A training record not available
No actions taken to improve system based on previous
result findings

Nonconformity - MAJOR
Absence or total breakdown of a system to meet a
requirement
A number of minors related to the same clause or
requirement
A nonconformity that experience and judgment indicate
will likely result in QMS failure or significantly reduce its
ability to assure controlled processes and products

Nonconformity - MAJOR
Examples:
No documented procedure for a required documented ISO
9001:2008 process/activity
Document changes routinely made without authorization
No awareness program for the quality management
system
No future planned internal audits
Insufficient scope
Numerous minor nonconformities found in the production
process

Classifying the Nonconformity

Consider the seriousness:
What could go wrong if the nonconformity remains
uncorrected?
Is it likely the system would detect it before the customer
is affected?
If you are not certain it is a nonconformity, it is not.
You must have:
A requirement that has been broken
Proof that it has been broken

Good Report Examples

NONCONFORMITY REPORT

Incident No. / CAR No.: 01

Company under audit: ABC Sdn. Bhd.

Area under Review: Purchasing
Category:

Major

ISO 9001 Clause number 7.4

Minor

Requirement:
Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation
and re-evaluation of suppliers.
Nonconformity Findings:
Upon speaking with the purchasing Manager, it was found that no evaluation of XYZ supplier
had taken place since the contract was signed and business begin with XYZ supplier.

Poor Report Examples

The nonconformity statements below are inadequate due to
the lack of specified requirements and detailed evidence:
Steering Group meeting minutes are not adequate
The authority level for the Emergency Controller must be
documented for clarify purposes

Preparing Audit Conclusions

Audit team confer prior to the closing meeting:
Scheduling of the audit plan
To plan for closing meeting
Purpose is to:
Review audit findings and other information
Agree on audit conclusions
To prepare the audit report and recommendations
If included in audit plan, to discuss audit follow-up

Audit Report
Prepare, Approve & Distribute
1.
2.
3.
4.
5.
6.
7.
8.
9.

Audit reference
Client and Auditee details
Audit team details
List of auditee representatives
Objectives, scope, and criteria
Audit plan dates, places, areas audited and timing
Summary of audit process
Audit Summary
Uncertainty due to sampling

Audit Report
Prepare, Approve & Distribute
10.Nonconformity reports
11. Recommendation
12.Obstacles encountered
13.Any areas in audit scope not covered
14.Any unresolved issues between the auditee and team
15.Confirmation that audit objectives accomplished
16.Confidentiality statement
17.Distribution list

Audit Report Distribution

Issue within agreed time period
If delayed, provide reasons and agree on new issue date
Report must be dated, reviewed, and approved as per
procedures
Distribute to recipients designated by audit client
Report is property of audit client
Recipients and audit team must respect the confidentiality
of the report

Completing the Audit

Audit is complete when all activities in audit plan have
been carried out and audit report is distributed
Maintain or dispose of audit documents based on
contractual, regulatory, and audit program procedures
Maintain confidentiality of audit documents, information,
and report
Notify audit client and auditee ASAP if disclosure of audit
information is required.

Closing Meeting
Hold closing meeting to present audit findings and
conclusions
Cover situations encountered during audit that may
decrease reliance on audit conclusions
Discuss and resolve diverging audit findings and
conclusions
Keep a record if not resolved
Provide recommendations for improvement where
specified by audit objectives
Keep minutes and attendance records
Will normally be informal for internal audits

Completing the Audit

Conducting the Follow-up
Audit conclusions may require corrective, preventive, or
improvement actions
Auditee decides and carries out these actions within
agreed timeframe
These actions are not part of the audit
Audit team number should verify completion and
effectiveness of actions taken
This verification may be part of a subsequent audit
Maintain independence in subsequent audit activities

Completing the Audit

Correct the Follow-up

Auditee receives the nonconformity report

Auditee prepares and approves a corrective action plan
Auditee submits the plan to auditors
Auditors evaluate and approve the plan
Auditee implements the approved corrective action plan
Auditor verifies the implementation and effectiveness
Records of all actions taken by auditor and auditee

Conclusion

Workshop 08

Q&A

THANK YOU