An internal audit procedure is specified.

It must define:

> criteria

Q: What do we audit against?

A: Your procedures, ISO 9001:2000. Plus any industry specific regulations or contractual
requirements.

Tip: Read the relevant documentation prior to the audit and make an audit checklist of the key
aspects that you wish to audit. The checklist is merely an aide-memoir, don't be blinkered by it.

Ref ISO 9001:2000 requirements: For practice, see our quality objectives. Use the information
provided (all of which can be substantiated) to reach an objective decision. Have we achieved our
objectives ? Feel free to give us some feedback.

> scope

Q: How far do we go ?

A: Far enough to ensure the sequence and interaction of processes.

> program frequency

Q: How often ?

A: Internal audit program frequency is not specified in ISO 9001:2000. Normal practice is to audit
the whole QMS (but in bite-sized pieces) at least once per year or more often if considered
appropriate.

Tip: Use the company process-map (See 4.1 ) as a basis for the audit programme - plan to audit
related procedures (eg Enquiry & Quotation, Order Receipt, etc.) within a process (eg Sales) and
ensure there is some overlap into the next process.

> method

Q: How do we audit ?

A: Interviewing staff, observing activities and viewing relevant records.

> report results

Report the audit results to management. You need to include in your procedure how any problems
and improvements are followed up.

Q: What should be included in my report ?

A: Your report should be objective and provide a balanced view. Report good things (conformance),
bad things (non-conformance) and observations on possible improvements.

Q: What is a non-conformance ?

A: ISO 9000 defines non-conformity as the failure to fulfil a requirement. So, if you can
demonstrate that a requirement of ISO 9001, your procedures or other relevant document has not
been met then you have a non-conformance.
The term "observation" is your opinion - so make sure you report it as such.

> keep records see 4.2.4

Auditor training records are also required, see 6.2

Job Description:

1. confirm compliance with ISO 9001, any other regulations, company procedures, etc.

2. seek improvements (or simplifications) in processes.

> Tip: Don't forget to audit "top management".

There is considerable emphasis on top management (eg Directors) being seen to be on-board and
playing the game. Top management is defined as the person(s) who direct an organisation at the
highest level.

The principal message that management must get across is that the objective of this business is to
keep the customer happy.

Specifically, management must communicate these ideas (5.1, 5.2, 5.3, 5.5.1, 5.5.2, 5.5.3) to the
employees who should be aware of their own roles and responsibilities (6.2.2).

Notice that few of these clauses specify a procedure or a record – top management are simply
required to do it.
How to Audit Top Management..

This article is written mainly for third party auditors but the principals can be applied to any
company’s internal audit process.

Recognizing that the auditing of top management is a sensitive issue, this document provides
guidance for this category of auditing.

Auditors should involve top management in the audit, i.e. invite them to opening and closing
meetings, allow sufficient time in the audit plan for interviewing top managers, discuss audit
findings directly with them, seek evidence of their commitment. It is important to change the focus
of attention from just the quality manager to the top management of the organization.

The auditor should consider top management activities to be processes, and should audit them
accordingly.

Planning stage
The auditor needs to identify top management processes, and

• understand the organization and its management structure by reviewing information such
as organization charts, annual reports, business plans, company profiles, press releases,
websites,
• make provisions on the audit plan for gathering relevant information regarding top
management commitment directly from and by interviewing top management,
• understand the culture of the organization and its top management in order to determine
its impact on the audit plan and make appropriate adjustments.
• take a professional approach in the auditor’s own appearance by determining the dress
code of the organization.
• plan the timing of the top management interview to ensure convenience and punctuality.

An auditor with limited auditing experience should not be assigned to interview top management.

Conducting the audit

Common methods of evaluating top management commitment are:

1. Interviews with top management

The auditor can, by utilizing business terminology appropriate for the top management, ask relevant
questions that

a) seek to obtain evidence of top management’s awareness of and commitment to quality and
its relevance to the organization’s overall objectives and management system,
b) establish evidence of conformity to the ISO 9001 requirements for management
responsibility.

2. Collecting and corroborating evidence

The auditor/audit team should be constantly looking for opportunities to corroborate the
answers received from top management when interviewed.

This includes
 a) the availability and relevance of policies and objectives

b) the establishment of linkage between the policies and objectives

c) obtaining the evidence that these policies and objectives are effective and understood
throughout the organization

d) determining if the policies and objectives are appropriate for continual improvement of the
quality management system and for the achievement of customer satisfaction.

e) determining if top management are involved in management reviews.

Additional interviewing and gathering of evidence may be needed to provide the necessary
corroboration.

The audit team should ensure that any additional evidence of top management commitment is also
collected.

The auditor/audit team should review the collected evidence, to ensure the completeness and
accuracy of the information, and to provide confidence in the conclusions drawn.

Audit reporting

Auditors should prepare their audit reports in order to make them appropriate for presentation to
the top management of organizations. It may be appropriate to present an executive summary of
the audit report, suitable for presentation to the top management and key interested parties of the
organization. The executive summary should highlight the key findings, both positive and negative,
and identify opportunities for improvement.

Identification of processes
1. Distinguishing between the concepts of a process and an activity
If an auditee cannot distinguish between the concepts of a process and an activity, the auditor can
briefly explain the differences by using the guidance (clause 2.4) and definition ((3.4.1) in ISO
9000:2000 as background information. The auditor must be able to adapt to the auditee’s situation.
It is the auditor’s responsibility to understand the auditee’s systems and approach.

During the audit, the auditor should determine whether there is a problem of difference
of terminology only, or whether there is a lack of real implementation of the process approach by
the auditee. There may be a need to issue an NCR if the auditee is not fully implementing the
requirements stated in ISO 9001:2000, Clause 4.1. If this is simply a terminology problem, there
should be no need to issue an NCR, if all the requirements of in Clause 4.1 are satisfied.

The auditee has the right to use its own terminology, provided the requirements of the standard are
met. The auditor should mentally develop a cross-reference list to ensure consistency and better
understanding.

2. A process has defined objective(s), input(s), output(s), activities, and resources

If the auditee does not understand that a process must have defined (but not necessarily
measurable) objective(s), input(s), output(s), activities, and resources, the auditor should try
reformulating the questions to the auditee avoiding the use of QM jargon, e.g. Can you explain to
me your operations here? What are the basic jobs carried out in your department? What information
do you need to start your work? Where does it come from? Who receives the result of your work?
How do you know if you’ve done your job correctly? etc..
This should help the auditor to establish whether the processes (as per ISO 9001: 2000) are already

defined, have clear inputs, outputs, objectives and so on.

3. Processes should be analysed, monitored and/or measured, and improved

If after applying the audit techniques outlined above, there is an absence of any records or other
proof to demonstrate that the processes are analysed, and/or monitored, and/or measured, and/or
improved, there would appear to be non-conformity with part of ISO 9001:2000 Clause 4.1.

4. The auditee/auditor considers that each clause or sub-clause of ISO 9001:2000

must be defined as a separate process

If the auditor considers this as the right approach, he should refer to relevant ISO documents,
(notably the ISO/TC 176/SC 2 document N544 ISO 9000 Introduction and Support Package:
Guidance on the Concept and Use of the Process Approach) which clearly indicates the contrary.

If the auditee considers this as the right approach, it is recommended that the techniques outlined
in section 2 (above) should be used.

5. Is the process approach as described in the 'Introduction' to ISO 9001:2000 a

requirement of the standard?

The description of the process approach in the 'Introduction' to ISO 9001:2000 is purely
informative and does not introduce a set of additional requirements by itself. Clause 4.1 specifies
the steps necessary to implement a process approach with regard to quality management system
processes, the Note to clause 4.1 providing examples of processes needed for the quality
management system. Audit methodologies must be oriented, accordingly, towards analyzing the
processes of the organization.

Understanding the process approach

Helping an auditor to interpret the process approach

If an auditor does not understand or misunderstands the process approach, direct him or her to
recognized information sources, such as the standard ISO 9000:2000 Quality management systems –
Fundamentals and Vocabulary and the ISO 9000 Introduction and Support Package: Guidance on the
Concept and Use of the Process Approach for management systems (document ISO/TC176/SC2/N544,
available from http://www.iso.org/tc176/sc2 ).
A certification body/registrar should ensure that all its auditors have received sufficient training regarding
the new requirements in ISO 9001:2000, particularly those on the process approach. Thus, an auditor
should realise that several steps are needed, including the following:
- determining the processes and responsibilities necessary to attain the quality objectives of the
organisation;
- determining and providing the resources and information necessary;
- establishing and applying methods to monitor and/or measure and analyse each process;
- establishing and applying a process for continual improvement of the effectiveness of the QMS.
The process approach concept must be so well understood by auditors that they are not limited by the
terminology in the standard; however, auditees may use their own “in-house” terminology. Auditors must
be aware that the application of the process approach will be different from organisation to organisation,
depending on the size and complexity of the organisation and its activities. Special consideration should
be given to the situation in small and medium enterprises (SME’s), so that auditors should not expect so
many processes in their QMSs.

Helping an auditee to interpret the process approach

If an auditor is faced with a complete misunderstanding by an auditee, this situation should normally be
identified at the 1st stage audit.
The auditor should refer the auditee to recognized information sources, such as those indicated in the
section above. (In particular, the referenced ISO/TC 176/SC 2/N544 document sets out different steps in
the process approach and provides useful guidance with examples).
The auditee should also pay sufficient consideration to
- the establishment of process objectives,
- process planning,
- the availability of suitable records.

Auditees frequently identify too many processes; some or all of them are activities, which do not fulfil the
requirements of a process, in the sense that ISO 9001:2000 uses the concept. In this situation, an auditor
should (in the 1st stage audit) propose that the auditee performs a redefinition of its processes, based on
e.g. the criticality of the activities. This might be particularly relevant for SME’s.

This section explains what generic management system standards are.

Generic

Generic means that the same standard can be applied to any organization, large or small,
whatever its product or service, in any sector of activity, and whether it is a business enterprise, a
public administration, or a government department.

Management system

Management system refers to what the organization does to manage its processes, or activities,
so that its products or services meet the objectives it has set itself, such as:

 satisfying the customer's quality requirements,

 complying with regulations, or
 meeting environmental objectives.

Management system standards

 Management system standards provide a model to follow in setting up and operating a
management system. This model incorporates the features on which experts in the field have
reached a consensus as being the international state of the art.

Plan – Do – Check – Act

The Plan – Do – Check – Act (PDCA) cycle is the operating principle of ISO's management
system standards.

Plan – establish objectives and make plans (analyze your organization's situation, establish your overall
objectives and set your interim targets, and develop plans to achieve them).

Do – implement your plans (do what you planned do).

Check – measure your results (measure/monitor how far your actual achievements meet your planned
objectives).

Act – correct and improve your plans and how you put them into practice (correct and learn from your
mistakes to improve your plans in order to achieve better results next time).