Empowering Assurance

Systems Pvt Ltd

Course Material - Internal

auditor Training ISO 15189: 2012

2 | P a g e

1 CONTENTS

Preface ……………………………………………………………………………………………....3

Audit Terminologies ………………………………………………………………………………...4

Standard Explanation …………………………………………………………………………… ..5

Introduction to Management System audits ……………………………………….………… 10

Performing an audit ……………………………………………………………….……………. 14

3 | P a g e

Preface:

What will you Learn:

Understand the difference between a policy, a process and a procedure

Become familiar with the fundamentals of a quality system under 15189 Understand the

fundamentals necessary to prepare for ISO standard 15189:2012

Develop a general familiarity with ISO 15189

This booklet provides a general overview of ISO 15189

Those with specific interests should obtain a copy of the actual ISO 15189 standard.

The standard can be obtained from national standards bodies from the ISO organization, or from

the Clinical and Laboratory Standards Institute.

Audit Terminologies:

Accreditation

Procedure by which an authoritative body gives formal recognition that an organization is

competent to carry out specific tasks

Alert interval

Critical interval

Interval of examination results for an alert (critical) test that indicates an immediate risk to the

patient of injury or death

Biological reference interval

Reference interval

Specified interval of the distribution of values taken from a biological reference population

Competence

Demonstrated ability to apply knowledge and skills

4 | P a g e

Audit

systematic, independent and documented process for obtaining audit evidence and evaluating

itobjectively to determine the extent to which audit criteria are fulfilled

Corrective Action

Action To Eliminate The Cause Of A Detected Nonconformity Or Other Undesirable Situation

Department

Section Of A Laboratory In Which A Single Pathology Discipline Pursues Its Activities

Effectiveness

Extent To Which Planned Activities Are Realised And Planned Results Achieved

Efficiency

Relationship Between The Result Achieved And The Resources Used

Examination

Set Of Operations Having The Object Of Determining The Value Or Characteristics Of A

Property

Laboratory Director

Competent Person(S) With Responsibility For, And Authority Over, A Laboratory

Laboratory Management

Person(S) Who Manage The Activities Of The Laboratory Headed By The Laboratory Director

Materials

Consumables, Calibrators, Reagents, Calibration Material Used In The Performance Of An

Examination

Multidisciplinary Laboratory

Laboratory In Which Two Or More Pathology Disciplines Work In An Integrated Manner

Nonconformity

Nonfulfilment Of A Requirement

5 | P a g e

Organisation

Group Of People And Facilities With An Arrangement Of Responsibilities, Authorities And

Relationships

pre-examination processes

Preanalytical phase

Processes that start, in chronological order, from the clinician’s request and include the

examination request,

Preparation and identification of the patient, collection of the primary sample(s), and

transportation to and

Within the laboratory, and end when the analytical examination begins

Primary sample

Specimen

Discrete portion of a body fluid, breath, hair or tissue taken for examination, study or analysis of

one or more

Quantities or properties assumed to apply for the whole

Process

Set of interrelated or interacting activities which transform inputs into outputs

Quality

Degree to which a set of inherent characteristics fulfils requirements

Quality indicator

Measure of the degree to which a set of inherent characteristics fulfils requirements

Quality management system

Management system to direct and control an organization with regard to quality

Quality policy

Overall intentions and direction of a laboratory related to quality as formally expressed by

laboratory management

Quality objective

Something sought, or aimed for, related to quality

6 | P a g e

Referral laboratory

External laboratory to which a sample is submitted for examination

Sample

One or more parts taken from a primary sample

Turnaround time

Elapsed time between two specified points through pre-examination, examination and post-

examination processes

Validation

Confirmation, through the provision of objective evidence, that the requirements for a specific

intended use or application have been fulfilled

Verification

Confirmation, through provision of objective evidence, that specified requirements have been

fulfilled

Do’s and Don’ts

Do Handle Glassware Safely

Eliminate potentially dangerous chemical reactions by thoroughly washing beakers, test tubes,

flasks and other glassware before and after use. This also helps ensure that results are not tainted

by chemical residue from previous experiments. Glassware can break, leaving behind potentially

harmful shards. Report any broken glass immediately and dispose of it properly.

Do Keep Notes

Write proper laboratory procedures, observations and instructions in a laboratory notebook, with

permanent binding and large pages. Lab notebooks help keep track of data, maintain records of

experiments and facilitate thinking.

7 | P a g e

Do Wear Gloves

Protect your hands with the proper gloves for each job. Handle hot and cold items with insulated

gloves, wear latex gloves during dissections, and use chemical-resistant gloves when working

with caustic chemicals.

Do Wear Closed-Toed Shoes

Protect your feet from spills, hot items and heavy objects by wearing shoes with closed toes.

Sandals and other open-toed footwear leave your feet vulnerable to burns and broken bones.

Do Practice Electrical Safety

Some experiments require electrical equipment. Before plugging in anything, make sure the plug

includes a ground prong. Whenever plugging or unplugging equipment, hold the plug by its

insulating cover. Never unplug anything by pulling or tugging the cord. Reduce the risk of shock

or shorts by keeping electrical equipment away from water and other liquids.

Don't Eat or Drink in the Lab

Eat before entering or after leaving the lab. Food, gum, mints, cough drops and beverages are

messy. They may get equipment dirty, contaminate samples, absorb chemicals or cause

accidents.

Don't Use Excessive Force

Some experiments require connecting glassware with glass tubes and rubber grommets or

plugging glassware with stoppers. Using excessive force can potentially chip or break the glass.

Don't Leave A Mess

Clean up spills immediately. Cover the spill with paper towels and then wipe it up from the

outside in, pushing the mess toward the center of the table, rather than the floor. Dispose of the

paper towels in a proper container. Clean up all laboratory equipment, materials, supplies and

work surfaces before leaving the lab. Make sure Bunsen burners and other sources of heat or gas

are properly turned off.

Standard Explanation:

Quality Policy

The quality policy is a statement of purpose for the laboratory.

It should describe, as briefly as possible, what the laboratory is about, why it exists, and what the

laboratory’s overall goals or objectives are. The wording should be general in scope. One

approach to writing a quality policy is to describe commitments the laboratory is willing to make

and then how (in general terms) the laboratory will meet those commitments Ideally, the quality

policy will be no more than one paragraph

in length.

8 | P a g e

An Example Quality Policy

This Laboratory is committed to producing reliable patient test results in a manner necessary to

insure appropriate and timely patient care. The laboratory will strive to produce reliable patient

test results by combining processes that promote efficiency with technology appropriate to the

laboratory mission and operated by staff that is both trained

and competent to perform the work.

Quality Manager

The Quality Manager is responsible for the continued integrity of the quality system. In this

capacity the Quality Manager must:

•• Ensure the components of the quality management system

(QMS) are current and relevant

•• Ensure the QMS is audited at regular intervals

•• Keep laboratory management informed of all activities and findings of the QMS

•• Ensure all staff are committed to, and actively involved in, the QMS

•• Facilitate introduction of new quality system procedures or Modifications to existing

procedures

•• Act as liaison between the laboratory and other interfacing Departments of the parent

organization, as well as internally – between various departments within the laboratory itself

Organization & Management

The laboratory must be legally identifiable and free of any financial or commercial conflicts of

interest. Laboratory management is responsible for the design, implementation and maintenance

of the quality management system. This

is to be accomplished through policies and procedures, and by granting authority and

responsibility to individuals to develop and maintain the management system. Laboratory

management must provide adequate financial, educational and human resources, so that the

laboratory can meet its stated objectives and mission. Management must also appoint a Quality

Manager and deputies as required.

Quality Management System

Policies, processes and procedures shall be documented and communicated to all personnel. The

laboratory shall have a quality policy statement documented in the Quality Manual. The

laboratory shall have a Quality Manual.

9 | P a g e

Document Control

ISO 9000:2005 defines a document as “information (meaningful data) and its supporting

medium.” As a general rule, a document can be either a paper copy or electronic. It is something

that is not written on, except perhaps for an approval signature and date of approval, or stamped

with a seal to show that it is the master document. Procedures, product inserts, material safety

data sheets, research papers or journal articles that might support a testing protocol are all

examples of documents. ISO 15189 requires that all documents be controlled. They must be

approved for use by appropriate laboratory authority, usually the Laboratory Director. They must

be reviewed at regular intervals to ensure continued relevance. This can be easily accomplished

by having a master list, or

inventory of documents, that shows which documents are currently in use, their revision number

and the date of revision. The master list also identifies obsolete documents, which must be

removed from all points of use. Obsolete documents can be archived, but precautions must be

taken to avoid inadvertent use. The laboratory must also have a procedure for making

amendments and corrections to documents. All amended documents must be reviewed and

approved for use by the appropriate laboratory authority. Maintenance of documents is a core

requirement for achieving accreditation.

4.4: Service Agreements

At regular intervals, the laboratory must review any agreement for services it provides to its

clients (including but not limited to clinicians, health care bodies, health insurance companies,

pharmaceutical companies, and other departments such as pharmacy or nursing within the

hospital structure) to ensure that the laboratory can meet the requirements such as

methodologies, turn-around times, availability of expert opinion, etc. Records of these reviews

shall be kept and maintained by the laboratory, and should include deviations. Service

Agreements do not always need to be formal documents between the laboratory and some

outside resource.

4.5: Examination by Referral Laboratories

Laboratories frequently select referral laboratories (laboratories that provide analytical support to

the primary

laboratory) based solely on cost. ISO 15189 specifically requires laboratories to have a procedure

for evaluating

and selecting referral laboratories, as well as consultants who provide opinions for

histopathology and/or cytology.

Laboratories are also required to monitor the quality of referral laboratories. Selecting only

laboratories that operate

under an accredited quality system can be an initial means to accomplish this objective.

Alternately, the laboratory may submit previously determined specimens as unknown samples to

the referral laboratory for analysis or interpretation, or require referral laboratories to share their

performance scores from relevant EQA (proficiency testing) schemes. The laboratory must

10 | P a g e

maintain a register of all referral laboratories it uses, and a register of all tests referred and results

reported.

4.6: External Services and Supplies

The laboratory is required to have policy and procedures in place that describe what must be

done before selecting an outside vendor. There should be verification that purchased services

meet laboratory requirements/needs and purchased supplies meet manufacturer specifications,

particularly for equipment, supplies, and consumables used to produce a laboratory test result.

The laboratory can also begin by purchasing supplies, especially those critical to producing a test

result, from vendors that operate under a certified or accredited quality system. Most

manufacturers of laboratory equipment, reagents and consumables already have numerous

certifications from various organizations and government agencies

4.7: Advisory Services

The laboratory should meet regularly with clinical staff regarding services and clinical

interpretation of results.

4.8: Resolution of Complaints

Complaints by laboratory clients about laboratory staff or services represent a primary

opportunity to identify

Weaknesses in the quality management system and present an opportunity for improvement. The

laboratory must keep a record of the complaint. The record should include the nature of the

complaint, the date of occurrence, individuals involved, any investigations undertaken by the

laboratory and the resolution.

4.9: Identification and Control of Nonconformities

When an occurrence conflicts with a stated policy, process or procedure, the occurrence is

classified as a nonconformance (event), meaning that whatever occurred did not conform to the

quality management system. Nonconformance events must be recorded, root cause investigated

and documented, corrective action taken and then documented. Testing may be stopped and

results withheld until the nonconformance is resolved, depending on the nature and criticality of

the nonconformance. Results reported during a situation or period of nonconformance should be

recalled when the nonconformance is of a critical nature. Nonconformance occurrences would

include testing a plasma sample when a serum sample is required for the test; using expired

reagents; modifying the test procedure without approval, as in increasing incubation temperature

to shorten incubation time; using tap water to reconstitute reagents when the procedure requires

use of distilled water; and improperly preserving a sample for later testing.

4.10: Corrective Action

11 | P a g e

The laboratory must have a procedure that describes and documents the reaction by the

laboratory to a nonconformance occurrence once a root cause has been identified. The laboratory

shall also monitor and document

the effectiveness of the corrective action over time.

4.11: Preventive Action

The laboratory shall have appropriate and effective action plans to reduce the likelihood of

nonconformance situations. Preventive action plans might include regular review of data

generated from routine testing of quality control materials

4.12: Continual Improvement

Laboratory management must review all operational procedures at regular intervals. The

frequency should be

no less than annually. Management shall implement quality indicators to monitor the

laboratory’s overall contribution to patient care. The quality system should be reviewed for

redundancies, such as policies or procedures that do little

to enhance quality; and for inherent weaknesses, such as areas that have frequent

nonconformance events or client

complaints and therefore need closer scrutiny or tighter.

4.13: Control of Records

Here a record is defined as “evidence of results achieved or activities performed.” As a general

rule, a record is something that is written upon. It can be electronic or on paper. Records include

quality control records, instrument printouts, patient test reports, patient test requisitions, records

of specimen referrals, nonconformity

records, and complaint records. Records also include any log or list that is constantly modified

by the laboratory, such as specimen acquisition records, calibration and maintenance logs, out-

patient registers, and contact logs with outside clients. Records must be kept and maintained by

the laboratory for specified periods of time as defined by the

Laboratory, government agencies, or accrediting bodies.

4.14: Evaluation and Audits

The quality system must undergo internal and external audits. The purpose of both internal and

external audits is to verify the laboratory is in compliance with the quality management system.

An external audit is usually performed by some agency or organization approved for such

purposes. Passing the audit usually leads to accreditation of the laboratory. ISO 15189

recommends annual internal audits. Internal audits are usually performed by trained and

qualified staff. It is important to recruit and train internal auditors from all sections of the

laboratory operation. It is possible that a clerk, particularly one who is inquisitive, may make a

very insightful and thorough auditor. Internal audit findings are documented and the laboratory

must develop a plan to correct and/or respond to the findings. A reminder: documenting actions

taken creates a quality record.

4.15: Management Review

12 | P a g e

Management must review the quality system at regular intervals. Normally this would be done

annually, but shorter intervals are encouraged with a new quality system. The purpose of the

review is for management to assess its level of commitment to the quality management system

during the past 12 months, to evaluate the effectiveness of the system and to recommend changes

as necessary. The review shall include an overview of all nonconformance events during the

year, the actions taken, preventive measures put in place, feedback from clients, results of the

internal quality control program, and performance in EQA or proficiency testing. Findings and

actions taken by laboratory management as a result of the annual review are documented and

become a quality record.

5.1: Personnel

Laboratory management must have and maintain job descriptions, including qualifications to

perform specific jobs

functions. Certified or licensed personnel should be utilized when required. Personnel making

judgments regarding

test results must possess appropriate knowledge and experience. Management must provide

adequate training, continuing education or access to training for technical staff, and assess staff

competency at regular intervals.

5.2: Accommodation and Environmental Conditions

The laboratory shall have adequate space and a safe environment in which to perform testing. It

must provide

Adequate lighting, ventilation, water, waste and refuse disposal. Attention should be given to

dust, electromagnetic

interference, ambient temperature and humidity levels, electrical supply, as well as sound and

vibration levels.

Records of environmental conditions, particularly temperature and humidity, should be kept and

maintained where relevant or required. Work areas shall be clean and well maintained.

Precautions must be taken to prevent cross contamination, particularly in laboratories performing

mycobacteriology or nucleotide amplification techniques. The laboratory must also be designed

to accommodate patient disabilities and privacy.

5.3:Laboratory Equipment

Laboratory equipment as defined in ISO 15189 are instruments, reference materials,

consumables, reagents, analytical systems, and laboratory information systems. The laboratory

shall have adequate equipment to perform testing to meet its stated laboratory mission. It must

verify the equipment meets performance requirements specified

by the laboratory or claimed by the manufacturer. The laboratory shall have policies and

procedures that specify

regular monitoring of instrument calibration and preventive maintenance. Calibration and

maintenance records must be maintained, including reports/certificates of all calibrations and/or

verifications which should include dates, times, acceptance criteria, results, adjustments, and due

date of the next calibration and/or verification. When equipment requires use of cofactors to

modify raw data or transform a patient test result, the laboratory must have procedures in place

to ensure that old cofactors are updated.

13 | P a g e

5.4: Pre-Examination Processes

Requests for testing must provide:

•• Some form of patient identification

•• Name of the ordering physician or other person authorized to order testing

•• Clinician’s address

•• Type of primary sample collected

•• Anatomic site where appropriate

•• Test requested

•• Patient gender

•• Date of birth

•• Pertinent clinical information as appropriate for purposes of test interpretation

•• Date and time of sample collection and receipt in the laboratory

•• Preferred sample type (venous, arterial, capillary, urine, spinal fluid)

•• Type of anticoagulant

•• Sample volume considered acceptable

The laboratory shall maintain a record of all samples received. When a sample is transported to

or from the laboratory, efforts must be made to monitor the time lapse between sample collection

and receipt by the laboratory. In addition, the temperature during transport should be mentioned,

since some samples must be kept at room temperature, others at 2-8ºC or frozen.

The laboratory shall also have procedures on how to accept verbal requests, as well as approved

procedures for proper specimen collection that address specific collection requirements.

Procedures shall also describe requirements for patient preparation and storage of specimens

once collected. The laboratory shall reject primary specimens not meeting identification or

specimen requirements.

5.5: Examination Processes

The process of analysis shall be specified by validated written or electronic procedures

maintained in and by the laboratory. Procedures may be authored by the laboratory or may be

previously published materials including, but not limited to, product inserts, instrument manuals,

textbooks, journals, or international guidelines. Test procedures developed by the laboratory (in-

house procedures) must be validated and fully documented before being put into use. All

procedures must be in a language commonly understood by laboratory staff.

5.6: Ensuring Quality of Examination Results

The laboratory shall have an internal quality control (QC) program to verify the quality of

produced patient test results.

While the character of the internal QC program is not specified in the ISO standard, in an effort

to allow for flexibility, such a program should include regular testing of QC materials at a

frequency sufficient to detect errors in the analytical process when error occurs. Laboratories

should also consider the use of independent control materials; either instead of, or in addition to,

any control materials supplied by the reagent or instrument manufacturers. ISO 15189 further

requires that QC frequency be determined by taking into account both the performance of the test

and potential risk of harm to a patient from an incorrect result.

14 | P a g e

5.7: Post Examination Processes

Authorized personnel shall routinely examine results beforereporting. Once a sample is used, it

must be maintained in the laboratory for a specified period of time at a temperature that ensures

stability of the sample, in the event that the sample is needed for retesting. Used samples shall be

disposed of in a safe and environmentally sensitive manner.

5.8: Reporting of Results

Test results must be reported on forms approved by laboratory management under the quality

system and must

clearly identify:

•• Patient

•• Date and time of specimen collection

•• Test performed

•• Reference or normal range

•• The laboratory interpretation where appropriate

•• Name or initial of person performing the test

•• Authorized signature of person reviewing the report and releasing the results

5.9 Release of Results

The results must be legible, without transcription mistakes and reported only to persons

authorized to receive them,

such as the ordering physician or nursing staff in a hospital environment. The report must also

indicate whether the sample received was unacceptable for testing. Reports of test results are

quality records and must be kept for a

period of time specified by the laboratory or a government requirement. The laboratory must

have procedures for handling critical values, automated reporting of results and revised reports.

5.10 Laboratory Information Management

The laboratory must have a documented procedure to protect the confidentiality of patient

information. Authority

and responsibility of the information system must be clearly identified in addition to responsible

use of the system by laboratory staff. Since Laboratory Information Systems are intended to

process / handle laboratory and patient data,

including transfer of data, the lab must verify the data is accurately reproduced.

Computer software must be validated as appropriate before being put into use. Precautions must

be taken to protect the integrity and privacy of the patient data archived in electronic formats.

Access to the programs must be restricted to prevent alteration or destruction of data by

unauthorized persons.

15 | P a g e

INTRODUCTION TO MANAGEMENT SYSTEM AUDITS

Audits can be distinguished as:

a. First party audits

b. Second party audits

c. Third party audits

FIRST PARTY AUDITS

First-party audits are often called internal audits. This is when someone from the

organization itself will audit a process or set of processes in the quality management system to

ensure it meets the procedure that the company has specified. This person can be an employee of

the organization or someone hired by the organization to perform the internal audits, such as a

consultant, but the important thing is that the person is acting on behalf of the company rather

than a customer or certification body. This type of audit is focused not only on whether the

company processes meet the requirements of a standard, but all rules the company has set for

itself. The audit will look for problem areas, areas where processes do not align with each other,

opportunities for improvement, and the effectiveness of the quality management system. By

design, these audits can and should be much more in depth than the other audits, since this is one

of the best ways for a company to find areas to improve upon.

SECOND PARTY AUDITS

A second-party audit is when a company performs an audit of a supplier to ensure that they are

meeting the requirements specified in the contract. These requirements may include special

control over certain processes, requirements on traceability of parts, requirements for special

cleanliness standards, requirements for specific documentation, or any of a host of other items of

special interest to that customer.

THIRD PARTY AUDITS

A third-party audit occurs when a company has decided that they want to create a

management system that conforms to a standard set of requirements and hire an independent

company to perform an audit to verify that the company has succeeded in this endeavor. These

independent companies are called certification bodies or registrars, and they are in the business

16 | P a g e

of conducting audits to compare and verify that the Management System meets all the

requirements of the chosen standard, and continues to meet the requirements on an ongoing

basis. They then provide certification to companies that they approve. This can be used to give

customers of the certified company confidence that the Management System meets the

requirements of the chosen standard.

Auditing terms and definition

Audit: systematic, independent and documented process for obtaining audit evidence and

evaluating it objectively to determine the extent to which the audit criteria are fulfilled

Audit criteria: set of policies, procedures or requirements used as a reference against which

audit evidence is compared

Audit evidence: records, statements of fact or other information which are relevant to the audit

criteria and verifiable

Audit Findings: results of the evaluation of the collected audit evidence against audit criteria

Audit conclusion: outcome of an audit, after consideration of the audit objectives and all audit

findings

Audit client: organization or person requesting an audit

Auditee: organization being audited

Auditor: Person who conducts an audit

Audit team: One or more auditors conducting an audit, supported if needed by technical experts

Audit programme: Arrangements for a set of one or more audits planned for a specific time

frame and directed towards a specific purpose

Audit scope: Extent and boundaries of an audit.

Audit plan: Description of the activities and arrangements for an audit

Competence: Ability to apply knowledge and skills to achieve intended results

AUDITING PRINCIPLES

a. Integrity: the foundation of professionalism

b. Fair presentation: the obligation to report truthfully and accurately

17 | P a g e

c. Due professional care: the application of diligence and judgement in auditing

d. Confidentiality: security of information

e. Independence: the basis for the impartiality of the audit and objectivity of the audit

conclusions

f. Evidence-based approach: the rational method for reaching reliable and reproducible

audit conclusions in a systematic audit process

AUDIT OBJECTIVES

Each individual audit should be based on documented audit objectives, scope and criteria.

The audit objectives define what is to be accomplished by the individual audit and may

include the following:

determination of the extent of conformity of the management system to be audited, or

parts of it, with audit criteria;

determination of the extent of conformity of activities, processes and products with the

requirements and procedures of the management system;

evaluation of the capability of the management system to ensure compliance with legal

and contractual requirements and other requirements to which the organization is

committed;

evaluation of the effectiveness of the management system in meeting its specified

objectives;

identification of areas for potential improvement of the management system.

AUDIT SCOPE

The audit scope should be consistent with the audit programme and audit objectives. It

includes such factors as:

physical locations,

organizational units,

activities and processes to be audited, as well as the time period covered by the audit.

AUDIT CRITERIA

The audit criteria are used as a reference against which conformity is determined and may

include: applicable policies,

procedures, standards,

legal requirements,

management system requirements,

18 | P a g e

contractual requirements,

sector codes of conduct or

other planned arrangements.

ROLES AND RESPONSIBILITIES OF AUDITOR

Comply with the audit requirements

Plan and perform assigned responsibilities effectively and efficiently.

Document all observations and report the results

Verify effectiveness of corrective actions.

Retain and safeguard audit documents.

Communicate and participate in audit team meetings.

AUDITOR COMPETENCE

Auditors should possess the knowledge and skills necessary to achieve the intended

results of the audits they are expected to perform. All auditors should possess generic knowledge

and skills and should also be expected to possess some discipline and sector-specific knowledge

and skills. Audit team leaders should have the additional knowledge and skills necessary to

provide leadership to the audit team.

GENERIC KNOWLEDGE AND SKILLS OF AUDITOR

Auditors should have knowledge and skills in the areas outlined below

Audit principles, procedures and methods: knowledge and skills in this area enable the auditor

to apply the appropriate principles, procedures and methods to different audits, and to ensure that

audits are conducted in a consistent and systematic manner. An auditor should be able to do the

following:

Apply audit principles, procedures, and methods;

Time management

Prioritize and focus on matters of significance;

Effective interviewing, listening, observing

Reviewing documents, records and data;

Understand and consider the experts’ opinions;

Using sampling techniques for auditing;

Verify collected information;

19 | P a g e

Confirm the sufficiency audit evidence

Assess reliability of the audit

Use work documents

Document audit findings

Prepare appropriate audit reports;

Maintain confidentiality and security of information

Communicate effectively

Understand the types of risks

PERSONAL BEHAVIOR OF AN AUDITOR

Auditors should possess the necessary qualities to enable them to act in accordance with

the principles of auditing as described earlier. Auditors should exhibit professional behavior

during the performance of audit activities, including being:

ethical, i.e. fair, truthful, sincere, honest and discreet;

open-minded, i.e. willing to consider alternative ideas or points of view;

diplomatic, i.e. tactful in dealing with people;

observant, i.e. actively observing physical surroundings and activities;

perceptive, i.e. aware of and able to understand situations;

versatile, i.e. able to readily adapt to different situations;

tenacious, i.e. persistent and focused on achieving objectives;

decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis;

self-reliant, i.e. able to act and function independently whilst interacting effectively with

others;

acting with fortitude, i.e. able to act responsibly and ethically, even though these actions

may not always be popular and may sometimes result in disagreement or confrontation;

open to improvement, i.e. willing to learn from situations, and striving for better audit

results;

culturally sensitive, i.e. observant and respectful to the culture of the auditee;

collaborative, i.e. effectively interacting with others, including audit team members and

the auditee’s personnel.

20 | P a g e

PERFORMING AN AUDIT

AUDIT PLAN

The audit team leader should prepare an audit plan based on the information contained in

the audit programme and in the documentation provided by the auditee. The audit plan should

consider the effect of the audit activities on the auditee’s processes and provide the basis for the

agreement among the audit client, audit team and the auditee regarding the conduct of the audit.

The plan should facilitate the efficient scheduling and coordination of the audit activities in order

to achieve the objectives effectively.

Why plan?

Audit plan is used to facilitate the efficient scheduling and coordination of the audit

activities achieve the objectives effectively

What should the audit plan cover?

The audit objectives

Audit scope & criteria

Locations, dates, expected time and duration of audit

Audit methods to be used

Roles and responsibilities of:

the audit team members, as well as guides and observers

Parts of System to be audited

Any follow-up actions from a previous audit, etc.

1.1 PREPARING WORK DOCUMENTS

The audit team members should collect and review the information relevant to their audit

assignments and prepare work documents, as necessary, for reference and for recording audit

evidence. Such work documents may include the following:

checklists;

audit sampling plans;

forms for recording information, such as supporting evidence, audit findings and records

of meetings.

The use of checklists and forms should not restrict the extent of audit activities, which

can change as a result of information collected during the audit.

Work documents, including records resulting from their use, should be retained at least

until audit completion, or as specified in the audit plan. Those documents involving confidential

or proprietary information should be suitably safeguarded at all times by the audit team

members.

21 | P a g e

Questions to consider when preparing work documents:

a. Which audit record will be created by using this work document?

b. Which audit activity is linked to this particular work document?

c. Who will be the user of this work document?

d. What information is needed to prepare this work document?

For combined audits, work documents should be developed to avoid duplication of audit

activities by:

clustering of similar requirements from different criteria;

coordinating the content of related checklists and questionnaires.

The work documents should be adequate to address all those elements of the management system

within the audit scope and may be provided in any media.

CHECKLISTS

Purpose

Aide Memoire

Provide a framework for the audit

Ensures nothing is missed out

Methods:

Checklists can be made for verifying based on:

Requirements of ISO 9001:2015 standard

Requirements of Organization’s QMS documents

Objective of the audit etc.

Advantage:

Audit checklist will help ensure the audit is conducted systematically, by promoting

planning using a consistent approach

Disadvantage:

Rigid adherence may lead to missing audit trails.

SAMPLING

Audit sampling takes place when it is not practical or cost effective to examine all

available information during an audit, e.g. records are too numerous or too dispersed

geographically to justify the examination of every item in the population. Audit sampling of a

22 | P a g e

large population is the process of selecting less than 100 % of the items within the total available

data set (population) to obtain and evaluate evidence about some characteristic of that

population, in order to form a conclusion concerning the population.

The objective of audit sampling is to provide information for the auditor to have confidence that

the audit objectives can or will be achieved.

When sampling, consideration should be given to the quality of the available data, as sampling

insufficient and inaccurate data will not provide a useful result. The selection of an appropriate

sample should be based on both the sampling method and the type of data required, e.g. to infer a

particular behavior pattern or draw inferences across a population.

Reporting on the sample selected could take into account the sample size, selection

method and estimates made based on the sample and the confidence level.

COLLECTING AND VERIFYING INFORMATION

During the audit, information relevant to the audit objectives, scope and criteria,

including information relating to interfaces between functions, activities and processes, should

be collected by means of appropriate sampling and should be verified. Only information that is

verifiable should be accepted as audit evidence. Audit evidence leading to audit findings should

be recorded. If, during the collection of evidence, the audit team becomes aware of any new or

changed circumstances or risks, these should be addressed by the team accordingly.

SELECTING THE SOURCE OF INFORMATION

The sources of information selected may vary according to the scope and complexity of the audit

and may include the following:

interviews with employees and other persons;

observations of activities and the surrounding work environment and conditions;

Source Sampling Evidence

Evaluate Findings Review

Conclusions

23 | P a g e

documents, such as policies, objectives, plans, procedures, standards, instructions,

licenses and permits, specifications, drawings, contracts and orders;

records, such as inspection records, minutes of meetings, audit reports, records of

monitoring and the results of measurements;

data summaries, analyses and performance indicators;

information on the auditee’s sampling plans and on the procedures for the control of

sampling and measurement processes;

reports from other sources, e.g. customer feedback, external surveys and

measurements, other relevant information from external parties and supplier ratings;

databases and websites;

simulation and modeling.

METHODS:

Interviews

Observations

Review of documents, including records

INTERVIEWING

Purpose:

Interviewing in an auditing context is held with persons from appropriate levels and

functions performing activities or tasks and is one of the important means of collecting

information.

It should be carried out in a manner adapted to the situation and the person interviewed,

either face to face or via other means of communication.

The auditor should consider the following:

interviews should be held with persons from appropriate levels and functions performing

activities or tasks within the audit scope;

interviews should normally be conducted during normal working hours and, where

practical, at the normal workplace of the person being interviewed;

attempt to put the person being interviewed at ease prior to and during the interview;

the reason for the interview and any note taking should be explained;

careful selection of the type of question used (e.g. open, closed, leading questions);

the results from the interview should be summarized and reviewed with the interviewed

person;

the interviewed persons should be thanked for their participation and cooperation.

24 | P a g e

1.2 TECHNIQUES FOR ASKING QUESTIONS:

Every audit has objectives and auditors who lose sight of this will not be effective

It is important for an auditor to always keep the audit objectives in mind in order to be effective

in collecting information. For this the interviewer has to ask the right questions. Various

questioning techniques are:

Open questions

These types of questions elicit longer answers. They usually begin with “what?”, “Why?”,

“How?”, “When?”, “Where?” etc. An open question asks the respondent for her or his

knowledge, opinion or feelings. “Tell me”, “Describe” can also be used. For example:

o Describe your process.

o Why is it done this way?

o Tell me what happens next? Etc.

Open questions are good for:

o Developing an open conversation

o Finding out more detail

o Finding out the auditee’s opinion etc.

Closed questions

A closed question usually receives a single word or very short factual answer.

For example:

o Do you measure your process? – the answer is usually a “yes” or “no”

o Are you recording your process measurements?

o Where in the processes do you verify the results? – a short factual answer like

during ….

Closed questions are good for:

o Testing your or the auditee’s understanding.

o Concluding a discussion or making a decision

o Frame a situation

A misplaced closed question, on the other hand, can kill the interviewing process and

lead to an awkward silence and so are best avoided when an interview is in full flow.

Probing questions

25 | P a g e

Probing questions is a strategy for finding more details. This can be used to investigate

whether there is proof of what is being said by the auditee. An effective way of probing is to use

“5 Whys” method which can help you to get to the root of a problem.

This questioning method is good for:

o Gaining clarification

o Drawing information out of the auditee who are trying to avoid telling you

something.

Leading questions

This method tries to lead the auditee to your way of thinking:

For example – “How late do you think the delivery of outputs will be delayed?” This assumes

that delivery will not take place on time.

This type of questions may be good for getting an answer that you want but at the same

time making the auditee feel that he or she has a choice. It is also good for closing and agreeing

on an audit finding.

Funnel questions

This technique involves starting with general questions, then homing in on a point in each

answer and asking more and more details at each level.

This technique is good for:

o Finding out more details about a specific area or context.

o Getting the interest or increasing the confidence of the auditee

Where to use?

By knowing where to use these techniques, you can gain the information more effectively.

For Learning: Ask open and closed questions and use probing questions.

Relationship building: To evoke positive responses. E.g. Asking about what they do or

their opinion etc.

Avoiding misunderstandings: use probing questions

De-fusing a heated situation: use funnel questions, e.g. to go into more details about

their grievance.

Persuading the auditee: by asking a series of open questions so that the auditee

understands the reasons behind your point of view.

26 | P a g e

ACTIVE LISTENING:

Listening is an important skill an auditor should develop. The effectiveness of an audit

interview depends a lot on this skill of an auditor. It also helps to develop an open and positive

relation ship with the person being audited.

For active listening, an auditor should:

• Show interest

• Maintain eye-contact

• Paraphrase rather than questioning

• Concentrate on what others are saying

• Avoid early evaluations

• Avoid getting defensive

• Listen (and observe) for feelings

GENERATING AUDIT FINDINGS

Audit evidence should be evaluated against the audit criteria in order to determine audit

findings. Audit findings can indicate conformity or nonconformity with audit criteria. When

specified by the audit plan, individual audit findings should include conformity and good

practices along with their supporting evidence, opportunities for improvement, and any

recommendations to the auditee.

Nonconformities and their supporting audit evidence should be recorded.

Nonconformities may be graded. They should be reviewed with the auditee in order to obtain

acknowledgement that the audit evidence is accurate, and that the nonconformities are

understood. Every attempt should be made to resolve any diverging opinions concerning the

audit evidence or findings, and unresolved points should be recorded.

The audit team should meet as needed to review the audit findings at appropriate stages

during the audit.

NC Scenario 1

During Internal Audit, you cross check the plasma test. In one of the blood samples collected for

plasma test, when asked the lab technician about the method he followed in completing a test he

says that he collects the plasma in 1.5ml green/yellow-top(plasma separator) tube for line draws

and 2 ml for off-site specimens in gold-top serum separator tube.

But when you checked in the procedure, you find that the measurement mentioned in 3ml and

3.5ml respectively. When enquired, he says that now recently the procedure has changed but he

27 | P a g e

still follows the method. But the lab-manager says that he was not aware that less amount is still

drawn for the test.

Failure: Personal workings under the laboratory are not aware about the criteria followed.

Evidence: The plasma in 1.5ml green/yellow-top(plasma separator) tube for line draws and 2 ml

for off-site specimens in gold-top serum separator tube, you find that the measurement

mentioned in 3ml and 3.5ml respectively.

Requirement: 5.1.5 Training

The laboratory shall provide training for all personnel which includes the following areas: b) assigned work processes and procedures.

NC Scenario 2

During an Audit, you check the refrigerator for storing the samples and solutions. The

temperature was set at -18deg c, when you measure the inner temperature it shows -14 deg

c. When asked about it the lab-assistant replied that this often happens during compressor

failure and if we come across we inform the maintenance department to rectify the same.

When checked the maintenance record, it shows that it was rectified twice in last 2 months.

When you ask about the validation of setting temperature and for the temperature achieved

lab-assistant replies that no such practice is in place. If the compressor starts working, the

maintenance engineer will close the complaint at that point.

Failure: The laboratory has not examined the actual cause of failure and maintained the

equipment

Evidence: The temperature was set at -18deg c, when you measure the inner temperature it shows -14 deg c. It shows that it was rectified twice in last 2 months. When you ask about the validation of setting temperature and for the temperature achieved lab-assistant replies that no such practice is in place. Requirement: 5.3.1.5 Equipment maintenance and repair

Whenever equipment is found to be defective, it shall be taken out of service and clearly labelled. The laboratory shall ensure that defective equipment is not used until it has been repaired and shown by verification to meet specified acceptance criteria. The laboratory shall examine the effect of any defects on previous examinations and institute immediate action or corrective action

DETERMINING AUDIT FINDINGS

When determining audit findings, the following should be considered:

follow-up of previous audit records and conclusions;

28 | P a g e

requirements of audit client;

findings exceeding normal practice, or opportunities for improvement;

sample size;

categorization (if any) of the audit findings;

RECORDING CONFORMITIES

For records of conformity, the following should be considered:

identification of the audit criteria against which conformity is shown;

audit evidence to support conformity;

declaration of conformity, if applicable.

Recording nonconformities

For records of nonconformity, the following should be considered:

description of or reference to audit criteria;

nonconformity declaration;

audit evidence;

related audit findings, if applicable.

REPORTING AN AUDIT

NONCONFORMANCE REPORT

A nonconformance report (NCR) should be:

Clearly written – quote the requirement (assign the appropriate clause of the standard

and/or organization’s QMS requirement) (Attribution of reference)

Cite the situation –how the requirement have not been fulfilled? (Explanation)

Describe the objective evidence such that it is verifiable. (Observation)

COMPLETING THE AUDIT

The audit is completed when all planned audit activities have been carried out, or as

otherwise agreed with the audit client (e.g. there might be an unexpected situation that prevents

the audit being completed according to the plan).

Documents pertaining to the audit should be retained or destroyed by agreement between

the participating parties and in accordance with audit programme procedures and applicable

requirements.

Unless required by law, the audit team and the person managing the audit programme

should not disclose the contents of documents, any other information obtained during the audit,

29 | P a g e

or the audit report, to any other party without the explicit approval of the audit client and, where

appropriate, the approval of the auditee. If disclosure of the contents of an audit document is

required, the audit client and auditee should be informed as soon as possible.

Lessons learned from the audit should be entered into the continual improvement process

of the management system of the audited organizations.

CONDUCTING AUDIT FOLLOW-UP

The conclusions of the audit can, depending on the audit objectives, indicate the need for

corrections, or

for corrective, preventive or improvement actions. Such actions are usually decided and

undertaken by the auditee within an agreed timeframe. As appropriate, the auditee should keep

the person managing the audit programme and the audit team informed of the status of these

actions.

The completion and effectiveness of these actions should be verified. This verification

may be part of a subsequent audit.

CORRECTION AND CORRECTIVE ACTION

CORRECTION:

An action taken immediately to set right nonconformity in the short term. For example

setting right a defective product or correcting an incorrect invoice.

CORRECTIVE ACTION:

• Taken to eliminate the cause of detected nonconformity.

• Eliminate the root cause(s) to prevent recurrence of the nonconformity.

Both correction and corrective action may be required in many scenarios.

VERIFYING EFFECTIVENESS OF CORRECTIVE ACTIONS

On proposed actions:

The response of an organization in implementing corrective action is to be reviewed before

acceptance.

Important elements to verify in the review:

• Verify the appropriateness of root causes

• Proposed actions – clear and concise?

• Are they thorough and accurate?

30 | P a g e

Post implementation

QMS auditors are responsible to verify effectiveness of corrective actions.

• Verify correction

• Verify the effectiveness of corrective actions to prevent recurrence of nonconformity.

• Verify evidence supporting the claim that a corrective action has been fully implemented