Sie sind auf Seite 1von 84
CONSULTANT AND TRAINING CENTRE SDN BHD (1089456-K)

CONSULTANT AND TRAINING CENTRE SDN BHD

(1089456-K)

CONSULTANT AND TRAINING CENTRE SDN BHD (1089456-K)

INTERNAL AUDITOR TRAINING

Table of Content

1. Introduction to Auditing

  • 2. Process Approach & Process Auditing

  • 3. Managing Audit Programme

  • 4. Auditing Activities

  • 5. Competency & Responsibilities of Auditor

  • 6. Conclusion

1. Introduction to Auditing

What is an audit ? Systematic, independent and documented process for obtaining audit evidence and evaluating
What is an audit ?
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the extent
to which audit criteria are fulfilled
(ISO19011: 2002 clause 3.1)
an evidence gathering process
Why audit ?  Requirement of ISO 9001:2015  Monitor and measure the management system 
Why audit ?
 Requirement of ISO 9001:2015
 Monitor and measure the management
system
 Promote continuous improvement of
the management system
Promote continuous improvement of the management system

Principle of Auditing

Principles relating to auditors:

Ethical conduct Fair presentation

Due professional care Principles relating to audit:

Independence Evidence-based approach

Note: reference to ISO 19011:2002 Clause number 4.0

Benefits of Auditing

Verifies conformity to requirements

Increases awareness and understanding Provides a measurement of effectiveness of the management system to top management

Reduces risk of management system failure Identifies improvement opportunities Continuous improvement if performed regularly

Type of Audit

First-party (internal audit) Second-party

(external audit) Third-party (external

audit)

Answers for Workshop 01-Type of Audit

First-party audit

Organizations use first party audits to audit themselves. First party audits are used to confirm or improve the effectiveness

of management systems. They're also used to declare that an organization complies with an ISO standard (this is called a self-declaration). Of course, such a declaration is credible only if first party auditors are genuinely independent and free of bias. If you decide to use first party auditors to make a self-declaration

of compliance, make sure that they aren't auditing their own work.

Answers for Workshop 01-Type of Audit

Second-party audit

They’re

usually done by customers or by others

on their behalf.

However, they can also be done by regulators or any other external

party that has a formal interest in an organization.

Answers for Workshop 01-Type of Audit

Third-party audit

They’re performed by independent organizations such as registrars (certification bodies) or regulators.

2. Process Approach & Process Auditing

Process Approach

The process approach emphasize the importance of :

Understanding and meeting requirements Looking at processes in terms of added value Obtaining results of process performance Continual improvement of process

Process Approach

The process approach emphasize the importance of :

Understanding and meeting requirements Looking at processes in terms of added value Obtaining results of process performance Continual improvement of process

PDCA (Plan-Do-Check-Act)

ACT PLAN • How to improve next time? • • What to do? How to do?
ACT
PLAN
How to
improve next
time?
What to do?
How to do?
CHECK
DO
Did things
happen according
to plan?
Do what was
planned

Workshop 02

PDCA (Plan-Do-Check-Act)

C

RE

U

Q

ST

UI

O

RE

M

M

ER

E

N

TS

ACT Continual Improvement of QMS Management Responsibility O D Measurement, Resource Analysis, Management Improvement Product Product
ACT
Continual Improvement
of QMS
Management
Responsibility
O D
Measurement,
Resource
Analysis,
Management
Improvement
Product
Product
Realization
input
output
PLA
N
K CHEC

Value-adding activities Information flow

PDCA (Plan-Do-Check-Act) C RE U Q ST UI O RE M M ER E N TS
PDCA (Plan-Do-Check-Act) C RE U Q ST UI O RE M M ER E N TS
 

SA

C

TI

U

SF

ST

A

O

CT

M

IO

ER

N

N

SA C TI U SF ST A O CT M IO ER N

PDCA (Plan-Do-Check-Act)

PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products.

It is also known as the Deming circle/cycle/wheel, Shewhart cycle, control circle/cycle, or plan–do–study–act (PDSA).

By Wikipedia

Management System Standards vs the Process Approach

ISO 9001:2015 :

Is based upon the PDCA cycle which can be applied to processes Applies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a QMS

ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system audits

Applying the Process Approach

Auditors can apply the process approach to auditing by ensuring the auditee:

Can define the objectives, inputs, outputs, activities, and resources for its processes Analyzes, monitors, measures, and improves its processes

Understands processes

the

sequence

and

interaction

of

its

Process Auditing Approaches

Individual Process:

Input / Output / Value-added Activity Plan-Do-Check-Act Resources

Relationship with other processes:

Flow / Sequence / Linkage / Combination Interaction / Communication Evidence Customer and supplier contract(s)

Process Auditing “Turtle Diagram”

Process Auditing “Turtle Diagram” Workshop 03

Workshop 03

Answers for Workshop 03-Turtle Diagram

Answers for Workshop 03-Turtle Diagram Workshop 03

3. Managing Audit Program

Managing an Audit Program Process Flow

PLAN

Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

DO

Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

CHECK

Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

ACT

AUTHORIZE

Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

ESTABLISH

OBJECTIVES

EXTENT

ROLES

RESOURCES

PROCEDURES

Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

MONITOR & REVIEW

MONITOR

REVIEW

IDENTIFY NEED FOR CA/PA

IDENTIFY OPPORTUNITIES TO IMPROVE

IMPLEMENT

 

SCHEDULE AUDITS

EVALUATE

 

AUDITORS

ELECT TEAMS

DIRECT ACTIVITIES

MAINTAIN RECORDS

   
Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES
Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES
Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES
Managing an Audit Program Process Flow CHECK ACT AUTHORIZE ESTABLISH  OBJECTIVES  EXTENT  ROLES

AUDITOR COMPETENCE & EVALUATION

SPECIFIC AUDIT ACTIVITIES

IMPROVE

Audit Activities

PLAN

DO

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

CHECK

Initiating the Audit

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

Conducting Document Review

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

Preparing for On-site Activities

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

Conducting for On-site Activities

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

Preparing, Approving, Distributing Audit Report

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

Completing the Audit

Audit Activities DO CHECK Initiating the Audit Conducting Document Review Preparing for On-site Activities Conducting for

ACT

Completing Audit Follow Up

Audit Program

Top management should authorize responsibility for program management to:

Establish, implement, review, and improve the audit program Identify the necessary resources and ensure they are provided Organization should develop audit program processes Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the audit program

Initiating the Audit

Initiating the audit includes:

Appointing the audit team leader Defining audit objectives, scope, criteria Determining feasibility of the audit Selecting the audit team Establishing initial contact with the auditee

Defining Audit Objectives, Scope, Criteria

Audit Objectives may include:

Determining of the extent of conformity of auditee’s QMS with audit criteria Evaluation of capability of QMS to ensure compliance with statutory, regulatory, and contractual requirements Evaluation of effectiveness of the QMS to meet its objectives Identification of areas of improvement

What is the difference between audit scope and audit criteria?

Audit Scope – extent and boundaries of an audit.

The audit scope generally includes a description of the physical locations, organizational units, activities and processes, as well as the time period covered.

Its tells :

when audit shall be conducted (start and end date) what/who are we going to audit where the audit shall be done

Audit scope shall be derived from the QMS Scope.

What is the difference between audit scope and audit criteria?

Audit Criteria – set of policies, procedures or requirements.

Audit criteria are used as a reference against which audit evidence is compared.

It tells what we are going to check (or audit) the conformance. what are the requirements of the audit.

Audit criteria could be a combination of the following ISO requirement (example ISO 9001, ISO 27001, ISO 14001, etc,) Statuary or Regulatory Requirement Organization Process/Policies/Procedures, etc. Customer Requirement

What is the difference between audit scope and audit criteria?

Example:

A company located at Selangor and Muar, is certified to ISO 9001 & ISO14001

Audit Scope ? Audit Criteria ?

What is the difference between audit scope and audit criteria?

Audit Scope :

Location: Selangor and Muar When: 24-March-2014 – 26-March-2014 Who: All the departments/functions within the organizations.

Audit Criteria :

ISO 9001 & ISO 14001 Statuary or Regulatory Requirement related to the business in which the company is. Organization Process/Policies/Procedures, etc. Customer Requirement

Selecting the Audit Team

For Team size and competence, consider:

Audit objectives, scope, criteria, and duration Whether audit is combined or joint Competence of team to meet objectives Statutory, regulatory, contractual and accreditation/certification requirements Independence of the team

5. Auditor Competence & Responsibilities

Auditor Competence

Auditor competence is based on:

Personal attributes Application of knowledge and skills

Competence is to be developed, maintained, and improved

Auditor Competence

OPEN- MINDED
OPEN-
MINDED
SELF- RELIANT
SELF-
RELIANT
Auditor Competence OPEN- MINDED SELF- RELIANT PERSONAL ATTRIBUTES PERCEPTIVE ETHICAL DECISIVE DIPLOMATIC TENACIOUS OBSERVANT VERSATILE
Auditor Competence OPEN- MINDED SELF- RELIANT PERSONAL ATTRIBUTES PERCEPTIVE ETHICAL DECISIVE DIPLOMATIC TENACIOUS OBSERVANT VERSATILE
PERSONAL ATTRIBUTES
PERSONAL
ATTRIBUTES
Auditor Competence OPEN- MINDED SELF- RELIANT PERSONAL ATTRIBUTES PERCEPTIVE ETHICAL DECISIVE DIPLOMATIC TENACIOUS OBSERVANT VERSATILE
PERCEPTIVE
PERCEPTIVE
ETHICAL
ETHICAL
DECISIVE
DECISIVE
Auditor Competence OPEN- MINDED SELF- RELIANT PERSONAL ATTRIBUTES PERCEPTIVE ETHICAL DECISIVE DIPLOMATIC TENACIOUS OBSERVANT VERSATILE
Auditor Competence OPEN- MINDED SELF- RELIANT PERSONAL ATTRIBUTES PERCEPTIVE ETHICAL DECISIVE DIPLOMATIC TENACIOUS OBSERVANT VERSATILE
DIPLOMATIC
DIPLOMATIC
TENACIOUS
TENACIOUS
OBSERVANT
OBSERVANT
VERSATILE
VERSATILE

Auditor Competence

Auditor skills and competence could include:

Audit principles, procedures, and techniques Management system and reference documents Organizational situations Laws, regulations, and other requirements

Auditor Competence

Specific knowledge and skills for quality auditors could include:

Quality methods and techniques Quality terminology Quality management tools and their application Processes and products/services specific to the sector being audited

Auditor Responsibilities

Arrive on time Maintain confidentiality Be objective and ethical Support the audit team and team leader Plan and prepare work documents Inform auditees of the audit process Document and support all findings Keep auditee informed Safeguard all documents Prepare the audit report

Audit Activities (Cont’d)

Audit Planning

Determine the objective of the audit Identify specified requirements Determine audit duration and resources needed Select the team Contact the auditee – agree the date(s) Draw up audit plan Brief the team Prepare work documents

Conducting Document Review

A review of documentation:

Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit May include relevant QMS documents, records, and previous audit reports May include a preliminary site visit

Prepare Work Documents

A review of documentation:

Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit May include relevant QMS documents, records, and previous audit reports May include a preliminary site visit

Conducting Document Review

Prepare work documents Use as a reference and for recording audit proceedings Include checklists, sampling plans and forms, ISO 9001:2008 standard, etc. Keep checklists flexible to allow changes resulting from information collected during the audit Safeguard any confidential and proprietary information Retain work documents and records

Conducting Document Review

A review of documentation:

Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit May include relevant QMS documents, records, and previous audit reports May include a preliminary site visit

Checklists Preparation

One Approach is to:

Identify audit scope and process(es) within scope Identify applicable factors (inputs, outputs, measures, resources, etc.) Use these points and other requirements (ISO 9001:2015, system documentation, etc.) to:

Plan what to look at Plan what to look for (audit evidence)

Prepare checklist

Checklists Structure

Audit checklist structure

PROCESS / ACTIVITY AUDITED:

 

REQUIREMENT

SOURCE

EVIDENCE

NOTES

ISO 9001:2008 Clause No. or other requirement

What to “Look At”

What to “Look For”

 

Conduct on-Site Audit Activities

Conduct opening meeting Communicate during the audit Explain roles and responsibilities of participants Collect and verify information Generate audit findings Prepare audit conclusions Conduct closing meeting

Opening Meeting

Hold opening meeting with auditee top management and those responsible for processes audited Meeting may be informal Chaired by team leader Audit team present Purpose is to confirm all prior arrangements

Collecting and Verifying Information

SOURCE of Info Collect by appropriate SAMPLING & VERIFICATION EVALUATE against audit criteria REVIEW CONCLUDE
SOURCE
of Info
Collect by
appropriate
SAMPLING &
VERIFICATION
EVALUATE
against audit
criteria
REVIEW
CONCLUDE

Collect & Verify information

Collect information relevant to:

Audit objectives, scope, and criteria interfaces between functions, activities and processes

Collect audit evidence by appropriate sampling and verify and record it Be aware on sampling limitations, if acting on the audit conclusion Use only information that is verifiable as audit evidence

Techniques to Obtain Audit Evidence

Interview:

Personnel that manage, perform, and verify activities Also ensure they are responsible for the activity being audited Listen carefully to responses

Observe:

Identity, status, condition, processes, equipment, activities, environment, and people

Audit Evidence

Review documents that describe:

Activities Plans Controls Strategies Exercises Tests

Review records for evidence of conformity to documents Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable Audit evidence may be qualitative or quantitative

Communication & Interpersonal Skills

Put auditee at ease Ask short questions and listen Reflect right attitude, tone of voice, body language, and facial expressions Smile and show eye contact Avoid interruptions Avoid off-cuff and condescending remarks Give praise when appropriate

Communication & Interpersonal Skills

Show interest Be tactful and polite Show patience and understanding Remember to say please and thank you Ask the right person Don`t say you understand when you do not

Conducting Document Review

A review of documentation:

Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit May include relevant QMS documents, records, and previous audit reports May include a preliminary site visit

Questioning Technique

Open question Using why, who, what, where, when, or how gets more than a yes or no answer

Expansive question Further elaborates the current point

Opinion question Asks opinion about current point

Non-verbal Uses body language, for example: raise eye-brow to elicit further information

Questioning Technique

Repetitive question Repeats back response in form of a question

Hypothetical question Uses what if, suppose that, etc.

Closed question Gets yes or no answer Avoid using too often Used for confirmation

Silence Draws more information

Note Taking

Notes could be used as reference for:

Immediate investigation Investigation later Use by a colleague Subsequent audits

Notes taken during an audit are a record of:

The audit sample taken What was reported What was observed

Notes may be referenced by subsequent auditor

Control of the Audit

Checklist is an aid, not a requirement If potential audit trails appear, decide to:

Disregard Note for later Follow up immediately Following audit trails may effect:

Sample size Audit plan

Handling Difficult Situation

Uncooperative

Cannot find document

Long telephone calls

Provocation

Volunteered

Information

Unprepared

Constant

interruptions

Noisy

environment

Long

auditees

Diversionary

tactics

Boastful

Called away

Language

Interdepartmental / Personality conflicts

Establish the Facts Judgment in the Audit Process

Audit focus must be on conformity and effectiveness, NOT on finding nonconformities The auditee must be given the benefit of any doubt where there is insufficient audit evidence

Establish the Facts

Discuss concerns Verify the findings Record all the evidence:

Exact observation Where, what, etc. Establish why a nonconformity or otherwise State who (if relevant) – preferably by job title Obtain agreement with the facts

Generate Audit Findings

Evaluate audit evidence against audit criteria to generate audit findings Indicate if findings are conformities, nonconformities or opportunities for improvement Meet (audit team) to review findings Specify (with supporting evidence) or summarize conformity by location, function, or processes, as required by audit plan

Nonconformity

Non-fulfilment of a specified requirement:

Not doing it Partially doing it Doing it the wrong way Specified requirement:

Conditions of the customer contract Quality standard (ISO 9001:2015) Quality management system Statutory or regulatory requirements

Generate Audit Findings

Record nonconformity findings and supporting evidence Obtain auditee acknowledgement of nonconformities for accuracy and understandability Try and resolve differences of opinion Keep a record of unresolved issues

Nonconformity - MINOR

Failure to comply with a requirement which (based on judgment and experience) is not likely to result in QMS failure Single observed lapse or isolated incident Minimal risk of nonconforming product or service Examples:

A two month lapse in the internal audit program A training record not available No actions taken to improve system based on previous result findings

Nonconformity - MAJOR

Absence or total breakdown of a system to meet a requirement A number of minors related to the same clause or requirement A nonconformity that experience and judgment indicate will likely result in QMS failure or significantly reduce its ability to assure controlled processes and products

Nonconformity - MAJOR

Examples:

No documented procedure for a required documented ISO 9001:2008 process/activity Document changes routinely made without authorization No awareness program for the quality management system No future planned internal audits Insufficient scope Numerous minor nonconformities found in the production process

Classifying the Nonconformity

Consider the seriousness:

What could go wrong if the nonconformity remains uncorrected? Is it likely the system would detect it before the customer is affected? If you are not certain it is a nonconformity, it is not.

You must have:

A requirement that has been broken Proof that it has been broken

Good Report Examples

NONCONFORMITY REPORT

Incident No. / CAR No.: 01

Company under audit: ABC Sdn. Bhd.

 

Area under Review: Purchasing

ISO 9001 Clause number 7.4

Category:

 

Major

 

Minor

NONCONFORMITY REPORT Incident No. / CAR No.: 01 Company under audit: ABC Sdn. Bhd. Area under
NONCONFORMITY REPORT Incident No. / CAR No.: 01 Company under audit: ABC Sdn. Bhd. Area under

Requirement:

 

Clause 7.4.1 of ISO 9001:2008 requires that the organization establish criteria for evaluation and re-evaluation of suppliers.

Nonconformity Findings:

 

Upon speaking with the purchasing Manager, it was found that no evaluation of XYZ supplier had taken place since the contract was signed and business begin with XYZ supplier.

Poor Report Examples

The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:

Steering Group meeting minutes are not adequate The authority level for the Emergency Controller must be documented for clarify purposes

Preparing Audit Conclusions

Audit team confer prior to the closing meeting:

Scheduling of the audit plan To plan for closing meeting Purpose is to:

Review audit findings and other information Agree on audit conclusions To prepare the audit report and recommendations If included in audit plan, to discuss audit follow-up

Audit Report Prepare, Approve & Distribute

  • 1. Audit reference

  • 2. Client and Auditee details

  • 3. Audit team details

  • 4. List of auditee representatives

  • 5. Objectives, scope, and criteria

  • 6. Audit plan – dates, places, areas audited and timing

  • 7. Summary of audit process

  • 8. Audit Summary

  • 9. Uncertainty due to sampling

Audit Report Prepare, Approve & Distribute

10.Nonconformity reports

11.Recommendation

12.Obstacles encountered 13.Any areas in audit scope not covered 14.Any unresolved issues between the auditee and team 15.Confirmation that audit objectives accomplished 16.Confidentiality statement 17.Distribution list

Audit Report Distribution

Issue within agreed time period If delayed, provide reasons and agree on new issue date Report must be dated, reviewed, and approved as per procedures Distribute to recipients designated by audit client Report is property of audit client Recipients and audit team must respect the confidentiality of the report

Completing the Audit

Audit is complete when all activities in audit plan have been carried out and audit report is distributed Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures Maintain confidentiality of audit documents, information, and report Notify audit client and auditee ASAP if disclosure of audit information is required.

Closing Meeting

Hold closing meeting to present audit findings and conclusions Cover situations encountered during audit that may decrease reliance on audit conclusions Discuss and resolve diverging audit findings and conclusions Keep a record if not resolved Provide recommendations for improvement where specified by audit objectives Keep minutes and attendance records Will normally be informal for internal audits

Completing the Audit Conducting the Follow-up

Audit conclusions may require corrective, preventive, or improvement actions Auditee decides and carries out these actions within agreed timeframe These actions are not part of the audit Audit team number should verify completion and effectiveness of actions taken This verification may be part of a subsequent audit Maintain independence in subsequent audit activities

Completing the Audit Correct the Follow-up

Auditee receives the nonconformity report Auditee prepares and approves a corrective action plan Auditee submits the plan to auditors Auditors evaluate and approve the plan Auditee implements the approved corrective action plan Auditor verifies the implementation and effectiveness Records of all actions taken by auditor and auditee

Conclusion

Q & A

THANK YOU