Conducting Audits

ISO 19011:2018 provides guidelines for conducting audits. The process begins with initiating the audit, which involves establishing initial contact with the auditees and determining the feasibility of the audit.

Integrity is paramount, and audits should align with the capabilities of the audit team, ensuring expertise within the relevant industry. This falls under the feasibility assessment.

Clear terms of the audit are agreed upon, often formalised in a contract or document. Subsequently, audit activities are prepared, incorporating a risk-based approach. The audit team is assigned roles, and thorough planning ensues based on the breakdown of the audit into stages. These stages may include gap analysis, feasibility assessment, Stage 1 audit, and Stage 2 audit. An activities table is created to outline serial numbers, tasks, durations, costs, required resources, and assessors. For instance, gap analysis activities could encompass logistics, assembling the audit team, site visits, opening and closing meetings, documentation reviews, report preparation, and Stage 2 audit processes.

A critical aspect involves determining dependencies between activities and resources. Duration estimates are established, with tools like project management software aiding in defining critical paths. Costs are estimated for various activities, and resource allocation, including auditors and documentation, is planned. The audit areas may be distributed among auditors. This phase also includes resource estimation and cost allocation. The audit plan can be managed with tools like Microsoft Project software, and the scheduled activities are marked on the calendar. Team members are notified of their schedules and responsibilities.

The execution phase follows, encompassing the implementation of the audit plan, completion of audit activities, and report preparation. While checklists are valuable tools, they should not be overly relied upon. They serve as reminders and reference points, but auditors must employ investigative skills to ensure comprehensive assessments.

Checklists, in various formats such as question lists or 'look at' and 'look for' forms, need to be well-structured and tailored to the audit's focus. They should provide space for notes, reference criteria and control documents, and allow time control and recording. It's important to avoid allowing checklists to overly restrict reasoning or hamper communication.

Conducting Audit Activities

Performing audits involves assigning roles and responsibilities, conducting opening meetings, maintaining effective communication, ensuring access to audit information, reviewing and verifying information, generating findings, and determining conclusions. Key considerations include cultural sensitivity, timely preparations, and effective communication.

Opening meetings serve to confirm agreement, introduce the audit team, and outline the plan. The agenda covers various aspects such as objectives, scope, methods, communication channels, confidentiality, and health and safety protocols. Senior management should be included, and the meeting should not extend beyond 20-30 minutes.

Communication remains crucial throughout the audit process. Periodic updates, significant findings, and concerns must be communicated effectively to stakeholders. Additionally, arrangements for communication with auditees and the audit team should be formalised.

After the audit, information security measures are vital, and access to audit information should be available upon request. Document reviews are conducted to assess the conformity of the system against audit criteria. Evidence is collected through observation, interviews, and examination. Objective evidence derived from observations, documents, and statements plays a vital role in verifying audit information.

During the audit, auditors should take comprehensive, accurate, and relevant notes. These notes capture document numbers, dates, names, objects, and statements made during the audit. The use of open-ended questions encourages informative responses, while silence can also be used strategically to gather information. Active listening skills are essential, helping auditors focus on the information provided by the respondent. To ensure efficient time management, auditors should discourage time-wasting behaviors, stick to the predetermined sample size, and avoid getting sidetracked.

Audit Findings

Audit findings encompass various conclusions, including conformity, non-conformity, opportunities for improvement, and positives. Conformities denote fulfilment of requirements, non-conformities highlight discrepancies, opportunities for improvement suggest enhancements, and positives acknowledge good practices.

The distinction between major and minor non-conformities is crucial. Major non-conformities signal system breakdowns, while minor ones are isolated lapses that don't undermine the system's integrity. Non-conformities should be stated factually, including the relevant clause numbers, audit criteria, and their grades.

Examples of non-conformities

1. Incomplete Documentation: The audit reveals that certain mandatory documents required by ISO 9001, such as documented procedures or work instructions, are missing or not up-to-date within the audited process. This represents a non-conformity as per the requirement of maintaining accurate and current documentation.

1. Lack of Employee Training Records: The audit identifies that training records for employees within a specific area are either incomplete or unavailable. This non-conformity arises from the requirement to maintain evidence of training and competence for employees performing tasks that affect the quality of products or services.

1. Unresolved Corrective Actions: The audit exposes that corrective actions reported from previous audits or non-conformity resolutions have not been adequately addressed or closed out. This non-conformity relates to the need to effectively implement and track corrective actions to prevent recurrence of issues.

1. Defective Product Identification: The audit uncovers instances where non-conforming products are not properly identified and segregated from conforming products, leading to potential mixing or shipment of faulty products. This non-conformity arises from the requirement to have a clear process for controlling non-conforming products.

1. Ineffective Internal Auditing: The audit finds that the internal audit process itself lacks effectiveness, with evidence of inadequate planning, execution, or reporting of audits. This non-conformity is based on the requirement for a well-structured internal audit program that ensures accurate assessment of the quality management system.

Each of these examples illustrates a situation where the organisation's practices deviate from ISO 9001 requirements, resulting in non-conformities that need to be addressed for continuous improvement and adherence to quality standards.

Upon receiving the non-conformity report, auditees are expected to propose corrective actions, outlining steps to address the issues identified. A comprehensive audit conclusion is reached, incorporating the audit findings and any recommendations. Differences in opinions are resolved, and achievements are acknowledged.

The closing meeting serves as a platform to present findings and conclusions, chaired by the lead auditor. It's an opportunity to reaffirm agreement and discuss audit follow-up procedures.

By adhering to these audit processes, organisations can conduct effective and comprehensive assessments, driving continuous improvement and adherence to ISO 9001 standards.

Audit Reporting and Follow-Up

Audit reports serve as formal statements summarising the audit's outcomes. The lead auditor holds the responsibility for ensuring the report's accuracy and comprehensiveness. The language used should be simple and clear, aiming to convey the complete audit results while maintaining simplicity. The report encompasses both conformities and non-conformities, along with positive findings and opportunities for improvement. The lead auditor ensures the report's completeness and treats it as confidential information, delivering value to the Quality Management system with informative, accurate, and precise content.

When crafting the report, it's essential to include audit objectives, scope, client information, audit team details, dates and locations, references to audit criteria, units audited, participants, findings accompanied by relevant evidence, conclusions, unresolved matters, audit nature, sampling details, and a confidentiality statement.

The audit report can also encompass the audit plan, process description, confirmation of objectives met, main conclusions, agreed-upon follow-up action plans, and details about audit report distribution. Timely reporting is crucial, as available time rarely increases later. Reporting non-conformities promptly is especially valuable; generate Non-Conformity Reports (NCRs) on the spot to retain fresh information. Efficient time management during the audit aids in proper reporting.

Audit distribution is a confidential matter agreed upon in advance. The report should be dated and approved before distribution.

The audit concludes when all planned activities are executed or mutually agreed upon with the client. Documents should be either retained or destroyed as per the agreement. The document's content shouldn't be disclosed without explicit client approval. Lessons learned from the audit should be documented for the audited organisation's continuous improvement process.

In case of non-conformities, follow-up is necessary to ensure corrective actions are taken within agreed timeframes. Action plans are given time for implementation, and their completeness is verified during follow-up. Verification involves confirming if non-conformities have been adequately addressed. Outcomes are reported to the client. The effectiveness of corrective actions is evaluated, potentially leading to closing the non-conformities. The timing of this decision depends on the severity of the issue. For significant non-conformities, a follow-up audit may be conducted. The approach, whether it involves re-auditing, documentation review, or waiting until the next audit, is determined.

During follow-up, understanding the issue and investigating its root causes is crucial. Corrective actions are taken, followed by internal effectiveness confirmation. The auditee submits a Corrective Action Report (CAR) detailing the findings, actions taken, preventive measures, completion timeline, and assessment of plan implementation.

Upon thorough verification, including on-site assessment, partial re-audit, or full audit, the audit process reaches closure. The compliance report is confirmed, potentially leading to recommendations or continued certification.

Throughout follow-up audits, it's imperative to ensure root causes have been effectively addressed and that the corrective measures have been successful. The CAR submitted by the auditee should demonstrate the steps taken, the rectification plan, and its efficacy in preventing recurrence.