internal auditing slides

7/27/2019 Internal Auditing Slides

1/101

Muhammad Afzal Meo

[email protected] , [email protected]

ADVANCED INTERNALAUDITING WORKSHOP
mailto:[email protected]:[email protected]


2/101

COURSE OBJECTIVE

Purpose of Audit

Define Audit Terms

Auditor IndependenceAudit Preparation

Conducting An audit

Reporting Follow up


3/101

Why Audit

Formal requirement of ISO 9001:2000

Standard

To encourage continuous improvement

To give managers feedback on their

systems

To help employees understand corporategoals and procedures

To monitor progress on targets and

objectives


4/101

What to Audit ?

Understanding of corporate policies and

objectives

Compliance to procedure and standards

Effective control on documentation & standards

Record preparation & filing

Competence and training of staff to perform job

effectively Commitment of managers and workers towards

continuous improvement


5/101

How Often ?

All departments at least once a year

More regular audits in areas where there are

problems, new personnel or regular customer visits

In response to customer complaints Include off-site locations like stores and marketing

offices

Right after an emergency or management change

Before certification audits and/or customer visits


6/101

Who Audits ?

Auditors should be selected from alldepartments in the organisation

Auditor selected for an audit should be

independent from the function being audited

Auditors should include personnel from both the

top and middle management

Auditors must be allocated time needed to study

documents, perform the audit and report onfindings

Presentation skills are also important


7/101

Auditor Competence

Quality

Quality Specific

knowledge and skills

(7.3.3)

Environmental /

Food Safety

Environmental /Food safety

Specific knowledge and skills(7.3.4)

Generic

knowledge and

skills (7.3.1

and 7.3.2)


8/101

Types of Audits

Systems Audits - ISO 9000

Financial Audits

Safety Audits

Customer Audits Regulatory Audits - Factory Law, Labour Law &

Environmental Law

In general there are three types of audits - First Party

Second Party

Third Party Audits


9/101

First Party - Internal

Audits conducted against corporate policies,procedures and standards

Schedule and frequency against auditprogrammes and/or special circumstances

Auditors chosen from a cross section of

departments


10/101

First Party - Internal

These audits typically look at enforcing

compliance to corporate policies

effective record keeping

employee awareness

improvement in all processes


11/101

2nd Party - Supplier Audits

Audits against standards imposed by businessesonto their suppliers

Supplier audits are very common in automotive,

textile & food industry prompt delivery of zero

defect product is vital


12/101

2nd Party - Supplier Audits

These audits typically look at enforcing -

fewer defects for products & services

better response on customer service

documentation on inspection & testing

better storage & handling of product

equipment maintenance & calibration


13/101

3rd Party Audit

Performed by independent authorities

These include certification bodies, inspection

agencies and surveyors

These audits are regulated by accreditationauthorities and other associations like

United Kingdom Accreditation Services

American Petroleum Institute

American Society of Mechanical Engineers


14/101

Phases of an

Internal Audit


15/101

AUDIT INITIATION


16/101

Phase I Initiation

Audit Plan Quarterly or six month or annual

plan

department wise frequency

circulated to all staff will change based on results of audit and

performance of departments

Audit basis ISO 9001, Company policy, etc..

Audit scope Extent and boundaries of audit

Audit Objectives Compliance against ISO 9001,

improvement of current system,

closing out previous NCs


17/101

What is an Audit Plan?

Description of the activities and

arrangements for an audit

ISO19011:2002


18/101

Phase I Audit plan

The audit plan can be issues annually or Quarterly,the plan should be based on : The status and importance of the activity

The results of the previous audits (internal & external)

Corrective Actions Changes to systems elements

Introduction to new methods and technology

Organizational and personnel changes

The risk to quality if audit frequency is reduced Availability of audit personnel


19/101


20/101

AUDIT PLANNING


21/101

Phase II Planning & Preparation

Inform auditor, auditee

Make arrangements - guide, safety

Examine documents Prepare checklists


22/101

What is a Checklist?

A structured list of points to evaluate

Identifies and communicates the scope of

an auditAn auditors tool to gather evidence and

provide an audit trail

Guides the course and controls the paceof an audit


23/101

Phase III Checklists

Keeps audit relevant to objective

Provides evidence of planning

MemoirAssists note taking

Reduces risk to bias

Manages timeAssists in the preparation of audit report


24/101

Types of Checklists

Standard

Ready formatted

Facilitates consistencyacross different area's)

Uniform questions

Can be inflexible

Not suited to all types ofaudit

Customised

Constructed as and when

needed

Usually specific to a

particular audit

Assists preparation by

client organisation Demonstrates

professional approach by

Audit team


25/101


26/101

EXECUTION


27/101

Phase III Audit Execution

Opening meeting

Introduce auditors

Confirm programme

Confirm arrangements

Interview personnel

Examine documents Observe processes

Examine materials and equipment


28/101

A Typical Opening Meeting Agenda

Introductions, if applicable

Confirmation of the objectives, scope and criteria of the audit

Confirmation of audit timetable

Outline the audit process and approach

Explain the reporting method

Confidentiality Statement

Confirmation of availability and roles of guides

Provide any clarifications which may be required


29/101

How to Manage the Opening Meeting

Be prepared

Control the meeting

Keep it short and stick to the point

Be professional

Keep a record of people who attend


30/101

Phase III Key Points

Ensure who you are auditing and theirorganizational responsibilities

Explain the importance of the audit

Ask for the auditees help in achieving theobjectives of the audit

Ask permission before disturbing work inprogress

Obtain auditees acknowledgement on any NCsyou are recording

Ask the auditee if they have any points about theaudit or their QMS that they wish to discuss

Thank the auditee for their co-operation


31/101

What is Evidence?

Qualitative or quantitative information, records,or

statements of fact pertaining to:

the quality of the product or service

to the existence and implementation of a

quality management system requirement

which is based on observation, measurementor test and which can be independently verified


32/101


33/101


34/101


35/101


36/101


37/101


38/101


39/101

Types of Questions

Open

Closed

Hypothetical

Obvious

Answered


40/101

General Points on Questioning

Techniques

Use appropriate types of question

Adopt a logical approach

Follow a natural sequence

Actively listen to what is being said

Use silence appropriately

Seek clarification, where necessary

Verify responses, where necessary


41/101


42/101


43/101


44/101


45/101


46/101


47/101


48/101


49/101


50/101


51/101


52/101


53/101


54/101


55/101


56/101


57/101


58/101


59/101


60/101


61/101


62/101

ISO 9001 action plan

Gain management commitment Choose an implementation team

Prepare a budget and schedule

Assign responsibilities to cross functional teams

Involve all employees Conduct preliminary reviews to identify gaps

Modify plan (if required)

Prepare procedures

Plan for change Train employees

Assess performance through audits

Address gaps


63/101


64/101


65/101


66/101


67/101


68/101


69/101

Structure of the ISO 9001:2000


70/101

Structure of the ISO 9001:2000

Standard

Scope

Application

Normative Reference

Terms and Definitions Requirements

Annex(s)

8 Quality Management Principles

ISO 9001:2000

Clause 1 2 Application


71/101

Clause 1.2_Application

All requirements of this International Standard aregeneric and are intended to be applicable to allorganisations, regardless of type, size andproduct provided

Where any requirement(s) of this InternationalStandard cannot be applied due to the nature ofan organisation and its product, this can beconsidered for exclusion


ISO 9001:2000


72/101

Justification of Exclusions


73/101

Justification of Exclusions

Defined and justified in the organisation's Quality

Manual

Other publicly available documents, such as:

certification/registration documents

marketing materials

To avoid confusing or misleading customers

and end users


ISO 9001:2000

Examples of most likely


74/101

p y

exclusions

7.3 (Design and development) -where theorganisation has no responsibility for the designand development of the products it provides

7.5.3 (Identification and traceability)-this clausewould only be partially applicable where there is nospecific traceability requirement for theorganisations products

7.5.4 (Customer property) -where the

organisation uses no customer property in itsproduct or product realisation processes.


ISO 9001:2000


75/101

Quality Management System (QMS)


76/101

y g y ( )General Requirements

The organisation shall establish, document, implement,maintain and continually improve the QMS.

To implement the QMS, the organisation shall:a)identify the processes needed for the quality management systemb) determine the sequence and interaction of these process

c) determine criteria and methods required to ensure the effective operation

and control of these processes

d) ensure the availability of information necessary to support the operation

and monitoring of these processes

e) measure, monitor and analyse the processes, and implement action

necessary to achieve planned results and continual improvements.


ISO 9001:2000

Quality Management System


77/101

Quality Management System

Documentation Requirements

The QMS documentation shall include:

a) documented quality policy and objectives

b) quality manual

c) documented procedures required by this International standard

d) documents required by the organisation to ensure the effective

operation and control of its processese) quality records

A Quality Manual shall be established and maintained,that includes the following:

- the scope of the quality management system and Exclusions (if any)

- documented procedures reference

- a description of the sequence and interaction of the processes included

in the QMS

Control of documents and records


ISO 9001:2000


78/101

Customer Focus


79/101

Customer Focus

Top management shallensure that customerneeds and

expectations aredetermined, convertedinto requirements andfulfilled with the aim ofachieving customersatisfaction

ResourceManagement

Measurement,

Analysis and

Improvement

Product

Realisation

Management

Responsibility

Quality Policy


80/101

Quality Policy

Top management shall ensure

that the quality policy:

a)is appropriate to the purposeof the organisation

b)includes a commitment tomeeting requirements and to

continual improvementc) provides a framework forestablishing and reviewingobjectives

d) is communicated andunderstood at appropriate

levels in the organisatione) is reviewed for continuingsuitability

ResourceManagement

Measurement,

Analysis and

Improvement

Product

Realisation

Management

Responsibility


81/101

Obj ti d T t


82/101

Objectives and Targets

Objective

overall quality goal arising from the

quality policy

Target

detailed quantified performance

target


83/101


84/101

Management Review


85/101

Management Review

Top management shallreview the QMS, atplanned intervals, toensure its continuingsuitability, adequacy andeffectiveness. The reviewshall evaluate the need

for changes to theorganisations QMS,includingquality policyand businessobjectives

Review Input andOutput clearly defined

ResourceManagement

Measurement,

Analysis and

Improvement

Product

Realisation

Management

Responsibility

Provision of Resources


86/101

The organisation shalldetermine and provide, intimely manner, the resourcesneeded:

a) To implement, maintain andimprove the processes of theQMS

b) To enhance customersatisfaction

Measurement,Analysis and

Improvement

Product

Realisation

Management

Responsibility

ResourceManagement

Human Resources


87/101

Human Resources

Personnel who areassigned responsibilitiesdefined in the QMS shallbe competent on thebasis of applicableeducation, training, skillsand experience

Provide training or takeother actions

Determine thenecessary competence

Evaluate theeffectiveness of actions

taken Maintain records

Measurement,

Analysis andImprovement

Product

Realisation

Management

Responsibility

Measurement,

Analysis andImprovement

Product

Realisation

Management

Responsibility

Resource

Management


88/101

Work Environment


89/101

Work Environment

The organisation shallidentify and manage thehuman and physical factorsof the work environmentneeded to achieveconformity of product

Examples includeorganisation culture, healthand safety etc.

NCRs cannot be raised onhealth and safety and/orenvironmental issues


Improvement

Product

Realisation

Management

Responsibility


Improvement

Product

Realisation

Management

Responsibility

Resource

Management

Planning of Product Realisation


90/101

The organisation shall plan anddevelop the processes necessary

for product realisation In planning the processes for

realisation of a product theorganisation shall determine thefollowing, as appropriate:

a) business objectives for theproduct, project or contract

b) the need to establish processesand documentation, and provideresources and facilities specific tothe product

c) verification and validationactivities, and criteria foracceptability

d) the records that are necessary to

provide confidence of conformity ofthe processes and resulting product.


Improvement

Management

Responsibility

ResourceManagement

Product

Realisation


91/101


92/101

Purchasing


93/101

Purchasing

Purchasing process The organisation shall

control its purchasingprocesses to ensurepurchased productconforms to requirements

Purchasing information

Purchasing documentsshall contain informationdescribing the product tobe purchased

Verification of purchasedproduct

Source inspection Customer verification

Measurement,

Analysis and

Improvement

Management

Responsibility

ResourceManagement

Product

Realisation

Production and Service Provision


94/101

The organisation shall control

production and serviceoperations including theprocesses forrelease,delivery and post deliveryactivities

Identification and traceability

Customer property including

intellectual property Preservation of product

including identification,handling,packaging,storage andprotection

Measurement,

Analysis and

Improvement

Management

Responsibility

ResourceManagement

Product

Realisation

Control of Monitoring and Measuring

Devices


95/101

Devices

The organisation shall

determine the monitoringand measurement to beundertaken and themonitoring and measuringdevices needed to provideevidence of conformityof product to determinedrequirements, (see 7.2.1)

Calibration

Identification

Safeguarded fromadjustment

Protection from damage Validity of previous results

Records maintained.

Computer software

Measurement,

Analysis and

Improvement

Management

Responsibility

ResourceManagement

Product

Realisation


96/101

Monitoring and Measurement


97/101

Measurement of

customer satisfaction

Internal Audit

timing of actions

including the

elimination of

detected NCRs andtheir causes

Monitoring and

measurement of QMS

processes

Monitoring andmeasurement of product

Management

Responsibility

Resource

Management

Product

Realisation


Improvement

Control of Nonconforming Product


98/101

The organisation shall ensurethat product that does not

conform to productrequirements is identified and controlled

prevented from unintendeduse

Documented procedure

Identification and traceability

Disposition Records shall be maintained

When detected after delivery oruse has started theorganisation shall take actionappropriate to the effects, or

potential effects

Management

Responsibility

Resource

Management

Product

Realisation


Improvement

Analysis of Data


99/101

The organisation shalldetermine, collect and

analyse appropriate data todemonstrate the suitabilityand effectiveness of theQMS and to evaluate wherecontinual improvement ofthe effectivess of the QMScan be made.

The analysis of data shallprovide information relating to

Customer satisfaction

Conformity to productrequirements

Characteristics and trends ofprocesses and products

Suppliers

Management

Responsibility

Resource

Management

Product

Realisation


Improvement

Continual Improvement


100/101

The organisation shall

continually improvethe effectiveness of theQMS through the use ofthe

Quality policy

Business objectives Audit results

Analysis of data

Corrective andpreventive actions

Management review

Corrective Action

Preventive Action

Management

Responsibility

Resource

Management

Product

Realisation


Improvement

Introduction and Scope of ISO19011:2002


101/101

19011:2002

Both the ISO 9000 and ISO 14000 series of standardsemphasise the importance of audits as a management toolfor monitoring and verifying the effectiveimplementation of an organisations policy for qualityand/or environmental management

This International Standard provides guidance on

conducting internal or external QMS and/or EMS audits,as well as on the management of audit programmes

It is discretionary whether or not QMS and/or EMS auditsare conducted separately or together

This International Standard can be applied to othermanagement system standards

internal auditing slides

Documents