Internal Auditor Training

ISO 9001-2008
 Internal Auditor Training ISO 9001-2008

2002. This training material is reserved for use by Prism eSolutions, LLC and its
customers. This material may not be copied, transmitted, or otherwise used without
the explicit permission of Prism eSolutions, LLC. In order to obtain copies of this
material or permission to use this material outside of the environment it was
distributed to you in, please contact Prism eSolutions, LLC at 700 American Avenue,
Suite 104, King of Prussia, PA 19406 or via the web at www.prismesolutions.com or
via phone at (610) 491-6000.

PN 230-200 revision 3.0

Page 2
Internal Auditor Training ISO 9001-2008

TABLE OF CONTENTS
This page intentionally left blank.Section 1: Introduction to Internal Auditing ..........4
Section 1: Introduction to Internal Auditing ...........................................................5
Introduction Exercise ........................................................................................5
Student Evaluation Criteria ................................................................................6
Audit Exercise................................................................................................. 19
Section 2: ISO Standard Requirements ................................................................ 33
Open Book Quiz - Sections 4, 5 & 6 ................................................................. 58
Open Book Quiz - Section 7 ............................................................................ 80
Open Book Quiz – Section 8 .......................................................................... 102
Procedures and Records Exercise ................................................................... 109
Clause Identification Exercise ........................................................................ 111
Section 3: Phases of Internal Auditing ............................................................... 113
Develop an Audit Matrix Exercise ................................................................... 119
Identification of Nonconformities Exercise ...................................................... 137
Section 4: Appendices ...................................................................................... 145
Ten Commandments of Internal Auditing ....................................................... 145
Sample Audit Checklist .................................................................................. 147

Page 3
 Internal Auditor Training ISO 9001-2008

This page intentionally left blank.

Page 4
Internal Auditor Training ISO 9001-2008

Section 1: Introduction to Internal Auditing

Introduction Exercise

Name:

Years with your organization:

Description of job responsibilities:

Class expectations:

Key question you want answered:

“Where would you rather be?”

Page 5
 Internal Auditor Training ISO 9001-2008

Student Evaluation Criteria

Contribution to course discussions

Attitude toward material
Clarity of written assignments
Verbal / presentation skills
Team participation

Student Evaluation Criteria

 Contribution to course discussions

 Positive Indicators

+ Effectively able to conduct an audit interview

+ Willingness to ask questions
+ Willingness to contribute personal experience
+ Responding to questions
+ Listening

 Negative Indicators

- Dominate discussions or group activities

- Unable to effectively conduct an audit interview
- Lack of involvement or interest
- Not responding to questions
- Distracting the class

Page 6
Internal Auditor Training ISO 9001-2008

 Attitude toward material

 Positive Indicators

+ Probing questions
+ Positive attitude toward material

 Negative indicators

- Cynical attitude
- Inappropriate questions

 Clarity of written assignments

 Positive Indicators

+ Clear, concise points

+ Understandable
+ Legible

 Negative Indicators

- Unclear

 Verbal / Presentation skills

 Positive Indicators

+ Clear voice
+ Correct language

 Negative Indicators

- Unclear

 Team participation

 Positive Indicators

+ Work as part of the team

+ Cooperate and contribute

 Negative Indicators

- Monopolizes the group

- No participation in the group

Page 7
 Internal Auditor Training ISO 9001-2008

Course Purpose & Objectives

Purpose:
 To provide you with theory and practical experience to
become an effective quality management system
auditor
Process:
 Class interaction, exercises, discussion, participant
presentations, student evaluation, and when all else
fails, lecture
Objectives:
 Provide participants with a basic understanding of the
quality management system auditing requirements as
well as the tools and techniques used in auditing

NOTES:

Page 8
Internal Auditor Training ISO 9001-2008

Terminology and Definitions

Quality System
 The organizational structure, procedures,
processes, and resources needed to implement
the quality management system (includes all
departments, documents, & the entire standard)
Quality Policy
 The overall intentions and direction of an
organization with regard to quality as formally
expressed by top management

Terminology and Definitions

Quality Management
 All activities of overall management used to determine the
quality policy, objectives, responsibilities, and processes of
the QMS and to ensure adequate implementation and
maintenance (includes internal auditors)
Quality Manual
 A formal and authorized document setting out the quality
policies, systems, procedures, and practices of an
organization; a bridge between the standard and the QMS

Page 9
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 10
Internal Auditor Training ISO 9001-2008

Terminology and Definitions

Procedure or Process
 A specific way to perform an activity such that it
achieves uniformly acceptable results
Corrective Action
 Action taken to eliminate the causes of an existing
nonconformity, defect, or other undesirable situation
in order to prevent recurrence
Certification
 The process by a duly authorized body of determining,
verifying, and attesting in writing to the qualifications
of a QMS in accordance with applicable requirements

Quality Management System

Documentation

Page 11
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 12
Internal Auditor Training ISO 9001-2008

ISO Hierarchy and Background

What is ISO?
 The International Organization for
Standardization
 ISO is a “United Nations” – to create common
sets of standards for trade and communication
 ANSI – American National Standards Institute -
represents the United States
 ANAB – ANSI/ASQ National Accreditation Board
– administers ISO in the United States

ISO Hierarchy and Background

ISO 9000 “Quality Management Systems –

Fundamentals & Vocabulary”

ISO 9001 “Quality Management Systems –

Requirements”

ISO 9004 “Quality Management Systems –

Guideline for Performance Improvements”

Page 13
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 14
Internal Auditor Training ISO 9001-2008

ISO 9001 May Be Required

Regulatory Requirements
 Regulations, laws, or agreements
 Industry standards (chemical, transportation, automotive, etc.)
 Product requirements (high pressure containers, scales,
implantable medical devices, etc.)
 National or local regulations
Customer Requirements
 Organizations may decide ISO certification will benefit
them when purchasing from a certified supplier
 The practice has proven successful in dealing with suppliers
 Generally accepted practice within industry and country
 Time or distance make supplier visits an expensive option

Quality Management System

Definition
ISO 8402 defines Internal Quality Auditing
as:
“…a systematic and independent examination
to determine whether quality activities and
related results comply with planned
arrangements and whether these
arrangements are implemented effectively
and are suitable to achieve objectives.”

Page 15
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 16
Internal Auditor Training ISO 9001-2008

Types of Quality Audits

Quality Management System

Process
Product or Service
Compliance – registration and surveillance
1st party – internal
2nd party – internal or external
3rd party – external

Quality Management System

Audit Goals

Verify documents address all requirements

 Manual, Procedures, Instructions, Records
Verify activities are consistent with documents
Verify process effectiveness
Identify opportunities for improvement
Provide value-added feedback to auditees

Page 17
 Internal Auditor Training ISO 9001-2008

Audit Performance
Relies on Objectivity
Gathering information
 Read (applicable documents)
 Listen (ask questions)
 Observe (watch activities)
Comparing information
 Objective evidence to known requirements
Drawing conclusions
 Does a “gap” exist?
 Is there an “inconsistency”?

NOTES:

Page 18
Internal Auditor Training ISO 9001-2008

Audit Exercise

While performing an audit of the Management Review process, the auditor observed
that in the meeting minutes of the most recent Management Review Meeting the VP
of Operations did not attend while an Operations Director did. The procedure,
which the auditor had reviewed during preparation, stated that required attendees
included the VP of Operations. Further, all previous minutes of Management Review
reviewed indicated she was in attendance. The auditor asked the quality system
Management Representative, the Process Leader, if he was aware of the required
attendees. The Management Representative responded correctly and explained that
the VP was absent because she had another meeting to attend. He also informed
the auditor that he had made out a deviation form to allow a substitute and showed
the auditor where the deviation form was filed.

1. Can you identify the three methods used by the auditor to gather information?

2. Are the activities observed consistent with the documents?

3. Is the Management Representative in compliance with the documented quality

management system?

4. Why did the auditor ask the Management Representative of his awareness of the
procedure?

Page 19
 Internal Auditor Training ISO 9001-2008

How to Implement an
Internal Audit Program

Understand internal audit requirements

Write internal audit procedure(s)
Select and train auditors
Prepare and publish a schedule
Conduct audits
Track results and take action
Report results to Management Review

NOTES:

Page 20
 May
April

June

NOTES:
March
January
February
X
4.1
QMS General requirements

X
4.2
QMS Document requirements

X
5.1
Management commitment

X
5.2
Customer focus

X
5.3
Quality policy

X
5.4
Planning

X
5.5
Responsibility, authority & communication
Internal Auditor Training ISO 9001-2008

X
5.6
Management review

X
6.1
Provision of resources

X
6.2

Human resources

X
6.3

Infrastructure

Page 21
X
6.4

Work environment
X
7.1

Planning of product realization

X
7.2

Customer-related processes
X

Design & Development

7.3

X
7.4

Purchasing
X
7.5

Production and service provision

X
7.6

Control of monitoring & measuring equipment

X
8.1

Measurement, analysis & improvement - General

X
8.2

Monitoring & measuring

Audit Schedule Sample #1

X
8.3

Control of nonconforming product

X

Analysis of Data
8.4

X
8.5

Improvement
 Internal Auditor Training ISO 9001-2008

Audit Schedule Sample #2

Area JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Team
Sales 2
Team
Engineering 3
Team
Purchasing 1
Team
Production 4
Team
Servicing 5
Team
Shipping 1

Material Team
Control 2

Team
Quality 3

Human Team
Resources 4

NOTES:

Page 22
Internal Auditor Training ISO 9001-2008

Tracking Mechanism

Responsible Response Follow-up Date Closed

Audit # Audit Date
Manager Due Date
2009-01 Jan. 5, 2009 J. Heely Feb. 12, 2009 April 1, 2009 April 7, 2009
2009-02 Feb. 17, 2009 M. Ropsen April 6, 2009 May, 1, 2009 May 5, 2009
2009-03 Mar. 11, 2009 P. Carrol May 1, 2009 July 1, 2009
2009-04 April 20, 2009 J. Hassing June 6, 2009

NOTES:

Page 23
 Internal Auditor Training ISO 9001-2008

Auditor Qualifications

Common sense
Understand ISO 9001
Understand your organization’s quality
management system
Understand auditing tools and techniques
Possess communication skills

NOTES:

Page 24
Internal Auditor Training ISO 9001-2008

Auditor Characteristics/
Aptitudes/ Attributes

The auditor must be able to work alone and in

teams
The auditor must gather information, often
from people who are nervous
The auditor will sometimes work in areas
where they have little or no technical
knowledge
The auditor will have to manage time well

Auditor Characteristics/
Aptitudes/ Attributes

Auditors should be:

 Curious – inquisitive – observant
 Independent – trained – good listeners
 Unbiased – impartial – objective
 Perceptive – focused – analytical
 Thick skinned – non threatening – personable
 Honest – professional – highest integrity

Page 25
 Internal Auditor Training ISO 9001-2008

Auditor Characteristics/
Aptitudes/ Attributes

Auditors should not be:

 Argumentative
 Rash (jumping to conclusions)
 Opinionated
 Rigid
 Poor communicator
 Lazy

NOTES:

Page 26
Internal Auditor Training ISO 9001-2008

Roles and Responsibilities

Audit Administrator
 Coordinate/participate in internal audits
 Maintain audit schedule and track results
 Report findings to management review

Auditor
 Be independent of the process(es) to be audited
 Prepare for assigned audits
 Perform objective internal audits in accordance with
training and procedures
 Complete all required reports

Roles and Responsibilities

Lead Auditor
 The lead auditor is ultimately responsible for all phases
of the audit
 Assist in selection of auditors
 Prepare audit plan
 Submit the audit report / share with auditee
Audit Team
 The audit team may include experts, trainees,
observers, etc. who are acceptable to the lead auditor

Page 27
 Internal Auditor Training ISO 9001-2008

Roles and Responsibilities

Others that may be included in an audit

 Observer
 Learner
 Witness
 Verifies audit activities
 Expert
 Specialized background
 Guide
 Escorts auditors, does not answer for auditee

NOTES:

Page 28
Internal Auditor Training ISO 9001-2008

Auditor Techniques and Skills

People skills
 Interviewing & listening
 Politeness – please and thank you
 Maintain eye contact at auditee eye level
Leadership skills
 You are a guest in their area
 Manage interruptions
Special skills
 Talk to correct people
 Be objective

NOTES:

Page 29
 Internal Auditor Training ISO 9001-2008

An Overview of ISO 9001

ISO 9001 is written from the perspective of

the customer
Conformance to customer requirements
and continual improvement are methods to
ensure customer satisfaction

NOTES:

Page 30
Internal Auditor Training ISO 9001-2008

What is a
Quality Management System

NOTES:

Page 31
 Internal Auditor Training ISO 9001-2008

Triangle of Commitment

MANAGEMENT REVIEWS
Evaluate performance in relation to
purpose (Quality Policy)

CORRECTIVE & PREVENTIVE INTERNAL AUDITS

ACTIONS
Prevent problems or fix problems if Monitor processes for compliance with
prevention didn’t work requirements

NOTES:

Page 32
Internal Auditor Training ISO 9001-2008

Section 2: ISO Standard Requirements

Page 33
 Internal Auditor Training ISO 9001-2008

Classification of Elements

 Primary Elements
 Have clear, auditable requirements that must
be met
 Typically addressed by a level 2 document (but
not always)

Classification of Elements

 Reference Elements
 Reinforce requirements that are more clearly and
exactly specified in another Primary element
 Typically addressed only in the quality manual
 When addressed in a level 2 document, usually in
the level 2 for the Primary element they reinforce
 Only one Reference Element adds a requirement,
4.2.1, “documented statements”

Page 34
Internal Auditor Training ISO 9001-2008

Classification of Elements

 To facilitate understanding and application of

the ISO-9001:2008 standard, elements are
classified into two general types:
 Reference (elements 4.1, 4.2.1, 5.1, 5.2, 5.4.2,
5.5.1, 5.5.3, 6.1, 8.1)
 Primary (elements 4.2.2, 4.2.3, 4.2.4, 5.3, 5.4.1,
5.5.2, 5.6, 6.2, 6.3, 6.4, 7 (all), 8.2, 8.3, 8.4, 8.5)

NOTES:

Page 35
 Internal Auditor Training ISO 9001-2008

4.2.2 Quality Manual

(Primary Element)

 A Quality Manual shall be established and

maintained that includes the following:
a) The scope of the QMS including details of and
justification for any exclusions
b) Documented procedures or reference to them
c) A description of the sequence and interaction
of the processes included in the QMS

NOTES:

Page 36
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 37
 Internal Auditor Training ISO 9001-2008

4.2.3 Control of Documents

(Primary Element)

 A documented procedure (#1) shall be

established:
a) To approve documents for adequacy prior to use
b) To review, update as necessary and re-approve documents
c) Identify the current revision status of documents
d) Documents remain legible, readily identifiable and retrievable
e) Relevant versions of documents are available at points of use
f) Documents of external origin are identified and distribution is
controlled
g) To prevent the unintended use of obsolete documents and
identified if they are retained for any purpose Procedure
Required

NOTES:

Page 38
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 39
 Internal Auditor Training ISO 9001-2008

4.2.4 Control of Records

(Primary Element)

 A documented procedure (#2) shall be

established for identification, storage, retrieval,
protection, retention and disposition of records
Procedure
Required

NOTES:

Page 40
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 41
 Internal Auditor Training ISO 9001-2008

5.3 Quality Policy

(Primary Element)

 Appropriate to the purpose of the organization

 Commitment to meeting requirements and to continual
improvement
 Provides a framework for establishing and reviewing quality
objectives (i.e., the policy must be measurable)
 Communicated and understood at appropriate levels in the
organization
 Is reviewed for continuing suitability
 Documented statements of quality policy and quality
objectives (ref. 4.2.1)

NOTES:

Page 42
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 43
 Internal Auditor Training ISO 9001-2008

5.4.1 Quality Objectives

(Primary Element)

 Establish quality objectives at relevant functions and

levels within the organization
 Objectives must be measurable & consistent with
quality policy & commitment to continual
improvement
 Documented statements of quality policy and quality
objectives (ref. 4.2.1)

NOTES:

Page 44
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 45
 Internal Auditor Training ISO 9001-2008

5.5.2 Management Representative

(Primary Element)

 Member of the management who has

responsibility for:
a) Ensuring that processes of the QMS are established
and maintained
b) Reporting on performance of QMS including needs
for improvement
c) Promoting awareness of customer requirements
throughout the organization
 The Management Representative must be a
member of the organization

NOTES:

Page 46
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 47
 Internal Auditor Training ISO 9001-2008

5.6.1 Management Review

(Primary Element)

 Review of the QMS by top management

at planned intervals to:
a) Ensure QMS suitability, adequacy &
effectiveness
b) Evaluate the need for changes to the QMS
including policy & objectives
c) Assess opportunities for improvement
d) Retain records

Records
Required

NOTES:

Page 48
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 49
 Internal Auditor Training ISO 9001-2008

5.6.2 Review Input

(Primary Element)

Input to management review shall include:

a) Results of audits
b) Customer feedback
c) Process performance and product/service
conformance
d) Status of preventive & corrective action
e) Follow up actions from earlier reviews
f) Changes affecting the QMS
g) Recommendations for improvement

NOTES:

Page 50
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 51
 Internal Auditor Training ISO 9001-2008

5.6.3 Review Output

(Primary Element)

Output from management review shall

include actions related to:
a) Improvement of the effectiveness of the
QMS and its processes
b) Improvement of products/services related to
customer requirements
c) Resource needs

NOTES:

Page 52
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 53
 Internal Auditor Training ISO 9001-2008

6.2.1 Human Resources (General)

6.2.2 Competence, Training & Awareness
(Primary Elements)

 Those who have responsibilities defined in the QMS shall be

competent on the basis of appropriate education, training, skills
and experience
 Determine competency needs
 Provide required training
 Evaluate the effectiveness of the training provided
 Ensure staff are aware of the relevance and importance of their
activities and contribution to achieving objectives
 Maintain appropriate records of education, training, qualifications
and experience
Records
Required

NOTES:

Page 54
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 55
 Internal Auditor Training ISO 9001-2008

6.3 Infrastructure
6.4 Work Environment
(Primary Elements)

 The organization shall identify, provide and

maintain the infrastructure it needs to achieve the
conformity of product and/or service, for example
a) Workspace & associated facilities
b) Equipment (hardware & software)
c) Supporting services (transport, communications,
information systems)

 The organization shall identify and manage the

work environment needed to achieve conformity
of product and/or service

NOTES:

Page 56
Internal Auditor Training ISO 9001-2008

NOTES:

Page 57
 Internal Auditor Training ISO 9001-2008

Open Book Quiz - Sections 4, 5 & 6

Statement: Answer:
1. Top management must meet periodically to review the adequacy of the
QMS. Records of these meetings shall be maintained.
2. Where personnel perform work that affects conformity to requirements the
required competence of those personnel is determined.
3. Wherever the term “documented procedure” appears in the standard, this
means a written procedure must be created and maintained.

4. Computers and information systems must be adequately maintained.

5. When processes are outsourced these processes are controlled by the

organization and the method of control is defined.
6. When documents that are created outside the organization are used in a way
that affects products, these documents need to be controlled.
7. The environment in which personnel perform their work shall be conducive
to product conformity.

8. The quality policy and quality objectives must be written down someplace.

9. The management representative must be selected from the organization’s

management staff.
10. Objective evidence that the quality system is implemented and effective is
maintained such that it is easily identified and retrieved.

Page 58
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 59
 Internal Auditor Training ISO 9001-2008

7.1 Planning of Product Realization

(Primary Element)

Determine quality objectives & requirements

Determine the processes & documents, and
provide resources needed
Determine required verification, validation,
monitoring, measuring, inspection & test activities
for the product
Determine records needed for evidence of meeting
product requirements Records
Required

NOTES:

Page 60
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 61
 Internal Auditor Training ISO 9001-2008

7.2.1 Determination of Product Requirements

(Primary Element)

 Organization shall determine customer

requirements including:
a) Specified customer’s requirement’s for product and/or
service including availability, delivery & support
b) Requirements not specified by the customer but
necessary for intended or specified use
c) Regulatory and legal requirements
d) Any additional requirements considered necessary by
the organization

NOTES:

Page 62
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 63
 Internal Auditor Training ISO 9001-2008

7.2.2 Review of Requirements of Product

(Primary Element)

 Review identified requirements and ensure before

commitment to supply product and/or service
that:
Records
a) Requirements are defined Required

b) Differences between tender & contract are resolved

c) Organization has ability to meet the requirements
 Confirm verbal orders
 Where the customer provides no documented
requirements, requirements must be confirmed
prior to acceptance of the order
 Documentation to be amended in case of changes
& personnel made aware

NOTES:

Page 64
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 65
 Internal Auditor Training ISO 9001-2008

7.2.3 Customer Communication

(Primary Element)

 Implement arrangements for

communication with customers relating to:
a) Product and/or service information
b) Inquiry & order handling including
amendments
c) Customer feedback including customer
complaints

NOTES:

Page 66
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 67
 Internal Auditor Training ISO 9001-2008

7.3 Design and Development

(Primary Element)

7.3.1 Design & development planning

7.3.2 Design & development input
7.3.3 Design & development output
7.3.4 Design & development review
7.3.5 Design & development verification
7.3.6 Design & development validation
7.3.7 Control of changes
Records
Required

NOTES:

Page 68
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 69
 Internal Auditor Training ISO 9001-2008

7.4 Purchasing Information

(Primary Element)

Records

7.4.1 Purchasing Process Required

 Ensure purchased product conforms

 Supplier selection, evaluation & re-evaluation
7.4.2 Purchasing information
 Describe the product purchased
 Verify specified purchase requirements
7.4.3 Verification of purchased product
 Receiving/inspection activities

NOTES:

Page 70
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 71
 Internal Auditor Training ISO 9001-2008

7.5 Production and Service Provision

(Primary Element)

 7.5.1 Production & service provision control

 Work instructions, equipment, measurement, etc.
 7.5.2 Validation of processes
 “Special Processes”
 7.5.3 Identification & traceability
 Throughout product realization
 Monitoring & measuring status
Records
Required

NOTES:

Page 72
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 73
 Internal Auditor Training ISO 9001-2008

7.5 Production and Service Provision

(Primary Element)

7.5.4 Customer property

 Identify, verify, protect and safeguard
7.5.5 Preservation of product
 Identification, handling, packaging, storage &
protection

NOTES:

Page 74
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 75
 Internal Auditor Training ISO 9001-2008

7.6 Control of Monitoring & Measuring

Equipment (MME) (Primary Element)

 Determine measurements to be made & MME required

 Use MME consistent with measurement requirements
 Measuring and monitoring software must be validated
 Calibrate and adjust MME at specified intervals or prior
to use, (traceability to international or national
standards; where no such standard exists, record the
basis)
Records
Required

NOTES:

Page 76
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 77
 Internal Auditor Training ISO 9001-2008

7.6 Control of Monitoring & Measuring

Equipment (MME) (Primary Element)

 Adjusted or readjusted as necessary

 Identified
 Safeguard from adjustments that would invalidate the
measurement result
 Safeguard from damage
 Assess the validity of previous measuring results when
equipment is found to be out of calibration

NOTES:

Page 78
Internal Auditor Training ISO 9001-2008

NOTES:

Page 79
 Internal Auditor Training ISO 9001-2008

Open Book Quiz - Section 7

Statement: Answer:
1. Suppliers of materials and services affecting product conformity must be
evaluated and re-evaluated adequately to ensure conformance with the
requirements specified on the purchase order.
2. Where product conformance cannot be verified by inspection, the relevant
processes must be validated.
3. If the customer doesn’t provide documented requirements the organization
must confirm the requirements with the customer prior to accepting the
order.
4. Design outputs must be verified against the design input and approved prior
to release.
5. Materials are stored and preserved in a manner that prevents deterioration
and assures conformity to requirements.
6. Where necessary, prior to accepting an order, the organization shall consider
the documents, records, processes, etc. necessary to deliver the product to
the customer.
7. Production personnel must have the information, work instructions, and
process and product measuring equipment required to perform their jobs.
8. Customer property may include intellectual property such as proprietary
designs.
9. Where test equipment incorporates computer software, this software is
verified, as needed, prior to first use and re-verified as necessary.
10. The results of tests, such as product inspection, must be clearly identified
throughout the organization.
11. Before quoting a job, the organization reviews all requirements and ensures
it has the ability to deliver the product. Records of this review are
maintained.
12. Where required to prevent mistakes, materials used to produce the product
are clearly identified from the receiving dock to the shipping dock.

Page 80
Internal Auditor Training ISO 9001-2008

Guidelist

What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 81
 Internal Auditor Training ISO 9001-2008

8.2.1 Customer Satisfaction

(Primary Element)

Organization shall monitor information on customer

satisfaction and/or dissatisfaction as one of the
measurements of performance of the QMS
The methods for obtaining and utilizing such
information shall be determined
 These methods may be both proactive and reactive

NOTES:

Page 82
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 83
 Internal Auditor Training ISO 9001-2008

8.2.2 Internal Audit

(Primary Element)

 Conduct periodic internal audits to determine if the QMS conforms to

the requirements of the standard & is effectively implemented and
maintained
 Plan the audit program considering:
 Status & importance of the activity & results of previous audits
 Independence of the personnel performing the audit
 Impartiality and objectivity of the auditors Procedure

 The documented procedure (#3) must cover: Required

 Responsibilities & requirements for planning & conducting audits

 Recording results
 Reporting to management

Records
Required

NOTES:

Page 84
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 85
 Internal Auditor Training ISO 9001-2008

8.2.2 Internal Audit

(Primary Element)

 Define audit scope, frequency & methodologies

 Timely corrections and/or corrective actions by
management
 Follow up to verify & report implementation of
corrective actions

NOTES:

Page 86
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 87
 Internal Auditor Training ISO 9001-2008

8.2.3 Monitoring and Measurement

of Processes (Primary Element)

Apply suitable methods for measurement &

monitoring of processes necessary to meet
customers requirements
These shall confirm the continuing ability of
each process to satisfy its intended purpose
When planned results are not achieved, take
appropriate correction and/or corrective
action without undue delay

NOTES:

Page 88
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 89
 Internal Auditor Training ISO 9001-2008

8.2.4 Monitoring & Measurement

of Product and/or Service (Primary Element)

 Measure & monitor product/service characteristics to verify

that the requirements of product are met, this shall be
carried out at appropriate stages of the product/service
realization
 Evidence of conformance with the acceptance criteria to be
documented. Records shall indicate the person(s)
authorizing release of the product/service
 Product/service release shall not occur until all specified
activities have been satisfactorily completed
Records
Required

NOTES:

Page 90
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 91
 Internal Auditor Training ISO 9001-2008

8.3 Control of Nonconforming Product

(Primary Element)

Procedure
Required
 Documented procedure (#4) for control of
nonconforming product/ and/or service to prevent
unintended use
 Nonconforming product and/or service to be
dispositioned
 Re-verify after correction
 If nonconformance detected after delivery take
appropriate action
 Where required by customer or regulatory body,
concession for use must be obtained
Records
Required

NOTES:

Page 92
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 93
 Internal Auditor Training ISO 9001-2008

8.4 Analysis of Data

(Primary Element)

 Collect & analyze data to determine suitability and

effectiveness of the QMS and to identify where
improvements can be made
 Include data from measurement & monitoring &
other relevant sources
 Analyze data to provide information on:
a) Customer satisfaction and/or dissatisfaction
b) Conformance to customer requirements
c) Characteristics of processes, products and/or services
and their trends
d) Supplier performance

NOTES:

Page 94
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 95
 Internal Auditor Training ISO 9001-2008

8.5.1 Continual Improvement

(Primary Element)

 The organization must plan and manage processes

necessary for continual improvement of the QMS
 Facilitate continual improvement using:
a) Quality policy
b) Objectives
c) Audit results
d) Analysis of data
e) Corrective actions
f) Preventive actions
g) Management review

NOTES:

Page 96
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 97
 Internal Auditor Training ISO 9001-2008

8.5.2 Corrective Action

(Primary Element)

 Documented procedure (#5) for corrective action to

eliminate the causes of nonconformance and prevent
recurrence Procedure
Required

 Actions appropriate to the impact of the problems

encountered
a) Identification of nonconformances including customer complaints
b) Determine the cause of the nonconformity
c) Evaluate the need for actions to ensure nonconformities do not
recur
d) Determining & implementing the corrective action needed
e) Recording the results of actions taken
f) Reviewing the effectiveness of corrective action taken
Records
Required

NOTES:

Page 98
Internal Auditor Training ISO 9001-2008

Guidelist
What do I look at? Who do I talk to? What do I look for? Where do I look for it?

Page 99
 Internal Auditor Training ISO 9001-2008

8.5.3 Preventive Action

(Primary Element)

 Documented procedure (#6) for preventive action to

eliminate the causes of potential nonconformances to
prevent occurrence Procedure
Required

 Preventive action taken shall be appropriate to the impact

of the potential problems
a) Identification of potential nonconformances and their causes
b) Determining and ensuring the implementation of preventive action
needed
c) Recording results of action taken
d) Review the effectiveness of preventive action taken

Records
Required

NOTES:

Page 100
Internal Auditor Training ISO 9001-2008

This page intentionally left blank.

Page 101
 Internal Auditor Training ISO 9001-2008

Open Book Quiz – Section 8

Statement: Answer:
1. Records of the product inspection process include the identity of the person
or persons responsible for releasing the product for shipment to the
customer.
2. Internal auditors are impartial and objective and do not audit their own areas
of responsibility.
3. Where risks are identified that may cause the failure of a product or process,
appropriate action is taken to eliminate or minimize the risk.
4. When processes are not achieving the intended objectives suitable
corrections or corrective actions are implemented to remedy the issue.
5. Product that does not conform to customer requirements, and is reworked,
must be reinspected to verify that customer requirements are met. Records
of this reinspection must be maintained.
6. Nonconforming products and processes are utilized as sources for corrective
actions.
7. No product is shipped to the customer until all planned inspections and tests
are completed unless approved by appropriate management, and the
customer where warranted.
8. Nonconforming material and product must be clearly identified as
nonconforming to ensure it is not used by accident.
9. All deficiencies, identified by internal audit, are corrected either through the
corrective action process or some other documented form of correction.
10. Supplier performance data is determined, collected and analyzed to evaluate
qualification.
11. Methods such as customer surveys and warranty information are used to
determine how the customer feels about the overall quality of the
organization.
12. All appropriate resources are utilized to identify opportunities for continually
improving both products and processes.
13. Records must be maintained that demonstrate that the product shipped to
the customer meets all acceptance criteria.

Page 102
Internal Auditor Training ISO 9001-2008

4.1 General Requirements

(Reference Element)

 Determine processes necessary for QMS (ref. 4.2.2)

 Determine the sequences and interaction of processes
(ref. 4.2.2)
 Determine criteria & methods to ensure effective
operation & control of these processes (ref. 8.2.3, 8.4)
 Ensure availability of resources & information needed to
effectively operate & monitor processes (ref. 6)
 Measure, monitor, analyze processes (ref. 8.2.3, 8.4)
 Act as necessary to achieve planned results and
continual improvement (ref. 7.1, 8.5.1)
 Control outsourced processes (ref. 7.4)

4.2.1 Documentation
Requirements (General) (Reference Element)

 Documented statements of quality policy and quality

objectives (ref. 5.3, 5.4.1)
 A quality manual (ref. 4.2.2)
 Documented procedures and records required by the
International Standard (ref. 4.2.2, “documented
procedure”, “see 4.2.4”)
 Documents and records needed to ensure effective
planning, operation and control of processes (ref. 7.1,
7.5.1)

Page 103
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 104
Internal Auditor Training ISO 9001-2008

5.1 Management Commitment

5.2 Customer Focus (Reference Elements)

 Shall provide evidence of commitment to the

development and improvement of the QMS by:
a) Communicating the importance of meeting customer and
legal/regulatory requirements (ref. 7.2.1)
b) Establishing quality policy (ref. 5.3)
c) Ensuring that quality objectives are established (ref. 5.4.1)
d) Conducting management reviews (ref. 5.6)
e) Ensuring availability of resources (ref. 6)
 Customer requirements are determined and met to the
satisfaction of the customer (ref. 7.2, 8.2.1, 8.2.4)

5.4.2 Quality Management System Planning

(Reference Element)

Top management shall ensure that the QMS is

carried out in order to meet requirements as well
as quality objectives (ref. 5.6.1)

Top management shall ensure that the integrity

of the QMS is maintained when changes to the
QMS are planned and implemented (ref. 5.6.2)

Page 105
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 106
Internal Auditor Training ISO 9001-2008

5.5.1 Responsibility and Authority

5.5.3 Internal Communication
(Reference Elements)

 Top management shall ensure that the

responsibilities, authorities and their
interrelation are defined and communicated
throughout (ref. 4.2.2, 6.2.1)
 The organization shall ensure communication
between various levels and functions regarding
the processes of the QMS and their
effectiveness (ref. 4.2.2, 5.4.1)

6.1 Provision of Resources

(Reference Element)

 Determine & provide resources needed to:

a) Implement and improve the processes of the
quality management system
b) Address customer satisfaction

(ref. 6.2, 6.3, 6.4)

Page 107
 Internal Auditor Training ISO 9001-2008

8.1 Measurement, Analysis &

Improvement (General) (Reference Element)

The organization shall plan and implement

monitoring, measurement & analysis activities to
assure conformance and achieve improvement
(ref. 8.2.3, 8.4)
This includes determination of the need and use
of applicable methodologies and statistical
techniques (ref. 8.4)

NOTES:

Page 108
Internal Auditor Training ISO 9001-2008

Procedures and Records Exercise

Quality System Element “documented procedure” “see 4.2.4”

4.1 QMS General requirements --- ---
4.2 QMS Document requirements 4.2.1, 4.2.2, 4.2.3, 4.2.4 4.2.1
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.5 Responsibility, authority &
communication
5.6 Management review
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
6.4 Work environment
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring &
measuring devices
8.1 Measurement, analysis &
improvement - General
8.2 Monitoring & measuring
8.3 Control of nonconforming product
8.4 Analysis of data
8.5 Improvement

Page 109
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 110
Internal Auditor Training ISO 9001-2008

Clause Identification Exercise

Statement: Answer:
1. Product released for use prior to completion of all required inspections
will be approved by a relevant authority, including the customer where
needed.

2. The quality system and its documentation structure are defined in a

quality manual that covers the requirements of the appropriate American
National Standard.

3. The inspection process includes evidence that the inspections are taking
place. These records identify the authority of the employee releasing
the product.

4. During the design of a new product, responsible personnel carry out

documented meetings, at appropriate intervals, to review progress and
compliance with the design plan.

5. Appropriate methods are utilized to monitor and control system

processes to ensure they are capable of meeting requirements.

6. Documents that have been superseded by a later revision are either

promptly removed from use or clearly identified as obsolete.

7. Management reviews relevant information to confirm that the preventive

action process is implemented and effective.

8. Before quoting a job or accepting an order, the organization ensures the

customer’s requirements are known and that they can be achieved.
Records of this process are maintained.

9. Objective evidence that the quality system is implemented and effective

is maintained such that it is protected from damage and retrievable
within a reasonable period of time.

10. Where the work performed affects quality, the organization ensures that
the authority and responsibility of the personnel, who manage, perform
and verify that work is defined and understood.

11. Deficiencies, identified by internal audit, are brought to the attention of

appropriate management, which initiates timely action to correct the
deficiencies.

12. Purchase orders for products that affect the quality of the product are
reviewed for adequacy by appropriate personnel prior to release to the
supplier.

13. At a frequency based on importance, the organization verifies that

quality system activities, and the results achieved, comply with the
objectives of the quality system plan.

Page 111
 Internal Auditor Training ISO 9001-2008

Clause Identification Exercise

Statement: Answer:
14. A reasonably senior representative of management is appointed who has
the responsibility and authority to ensure the quality system is defined,
implemented and achieves objectives.

15. Material or product found to be nonconforming to specifications is clearly

identified and controlled to prevent any accidental or unintended use.

16. The correct issue of documents, necessary for producing a quality

product, is available to the employees performing the work.

17. Computer software and comparative references used as inspection

devices are verified for suitability prior to first use and rechecked at
appropriate intervals to ensure continued accuracy.

18. Materials and services affecting the quality of the product are obtained
only from suppliers that can meet the requirements specified on the
purchase order.

19. Personnel performing quality related tasks are qualified based on

training, education or experience. Records of this qualification are
maintained.

20. Top management defines its policy, objectives and commitment to

quality and ensures these are understood and implemented throughout
the organization.

21. Materials and products throughout the organization’s operation are

suitably identified concerning the performance of required inspections
and the results of those inspections.

22. Customer complaints are reviewed to determine whether or not

corrective actions are required or justified.

23. Materials and products included in the scope of the quality system are
clearly identified throughout the organization’s operation from the
receiving dock to the shipping dock.

24. Materials or products having shelf life or environmental considerations,

such as temperature or humidity, are stored and preserved in a manner
that prevents deterioration.

25. Written work instructions are maintained and available in production

where the instructions are necessary to ensure the quality of the
product.

Page 112
Internal Auditor Training ISO 9001-2008

Section 3: Phases of Internal Auditing

Page 113
 Internal Auditor Training ISO 9001-2008

Four Phases of an Audit

1 Planning & Preparation

2 Conducting

3 Closing & Reporting

4 Follow-up

Audit Planning & Preparation 2 3

4

Determine:
 Auditing by area, function, element or process
 Define scope of audit
 Determine supporting documents needed
 If working in a team, determine individual
responsibilities
 Determine agenda, time, and locations
 Assemble other paperwork

Page 114
Internal Auditor Training ISO 9001-2008

Audit Planning & Preparation 2 3

4

Notify area of audit

 Send notice to area, functional manager
 Give adequate lead time

Schedule
 Opening Meeting
 Tour of the facility or area as necessary
 Closing meeting

NOTES:

Page 115
 Internal Auditor Training ISO 9001-2008

Audit Scope
 Benefits of a well defined
Entire Quality scope:
 An efficient audit
Management System:
 Reduced time for all
 Better coverage of the area
Manual to be audited
Procedures
 Determine and examine the
Instructions supporting elements for the
Forms audit
ISO Elements  Stay within the defined scope
(5.3, 6.2, 7.1, etc.) unless a lead is discovered
 Then follow the lead outside
Organization Areas of the scope to determine
(Sales, Purchasing, etc.) the effect on the system

1
2 3
Preparation Hints 4

Review all documents

 The standard
 Your organization’s documents
Review previous audits
 Results
 People interviewed
Review corrective actions
 Closed
 Open

Page 116
Internal Auditor Training ISO 9001-2008

NOTES:

Page 117
 Internal Auditor Training ISO 9001-2008

How to Use a Checklist 2 3

4

The audit checklist is one of the most helpful

tools and is used to:
 Prepare for the audit
 Ensure audit coverage
 Record notes, evidence, findings, and observations
 Manage time
 Report the audit
 Use to prepare a guidelist

NOTES:

Page 118
 Department
4.1 QMS General requirements
4.2 QMS Document requirements
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
Internal Auditor Training ISO 9001-2008

5.4 Planning
Develop an Audit Matrix Exercise

5.5 Responsibility, authority & communication

5.6 Management review

6.1 Provision of resources

Page 119
6.2 Human resources
6.3 Infrastructure
6.4 Work environment
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring & measuring equipment

8.1 Measurement, analysis & improvement - General

8.2 Monitoring & measuring

8.3 Control of nonconforming product
8.4 Analysis of data
8.5 Improvement
 Internal Auditor Training ISO 9001-2008

Developing a Guidelist 2 3
4

 Begin with an audit checklist

a) A generic one of your organization
 Advantages:
a) Keeps objectives clear
b) Standardizes audits
c) Simplifies the audit process
 Disadvantages:
a) Time consuming preparation
b) Discourages initiative
 Define three things:
a) Who do I “talk to?”
b) What do I “look at?”
c) What do I “look for?”

NOTES:

Page 120
Internal Auditor Training ISO 9001-2008

Stages of Conducting the Audit 2 3

4

Stage 1 (Management)

 Hold an opening meeting

Introduce audit team
Review audit objectives and scope
Review audit schedule
Confirm time and location of closing meeting

 Tour if necessary

NOTES:

Page 121
 Internal Auditor Training ISO 9001-2008

Stages of Conducting the Audit 2 3

4

Stage 2 (Workforce)
 Introduce yourself
 Explain purpose of the audit
 Explain that an internal quality audit is an audit of:
 Systems
 Processes
 Methods
 Not people
 Gather information
 Read
 Listen
 Observe

NOTES:

Page 122
Internal Auditor Training ISO 9001-2008

How to Conduct Yourself 2 3

4

 Be punctual
 Be polite – please and thank you, ask permission
 Be professional, yet friendly
 Maintain eye contact at auditee eye level
 Keep an open mind
 Be flexible
 Be persistent, yet pleasant
 Put people at ease
 Avoid arguments – move on to the next person
 Establish non-threatening environment

8 Step Interviewing Method 2 3

4

1. Make the auditee comfortable

2. Explain the purpose of your visit
3. Ask auditee to summarize his/her responsibilities and
typical activities
4. Record major steps and analyze what was said and/or
not said
5. Review procedures and samples
6. Record observations, examples, samples,
nonconformities, (don’t make a lot of copies)
7. Review your findings
8. Explain the next step(s)

Page 123
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 124
Internal Auditor Training ISO 9001-2008

Types of Questions 2 3
4

Opinion – “How would you go about…?”

Investigative – “Are there any more…?”
Repetitive – “Tell me again…”
Hypothetical – “What if…?”
Leading – “You know how…?”
Informative – “And then what…?”
Imperative – “Please show me…?”
Don’t lose sight of the power of a DIRECT
question.

Types of Questions 2 3
4

All questions can be phrased in a way that

makes them “OPEN ENDED” or “CLOSED
ENDED” questions
 Open ended questions begin a conversation
 Closed ended questions can be answered with a
simple yes or no
 Both open and closed ended question have their uses

Who, what, when, where, how, why & show me

Page 125
 Internal Auditor Training ISO 9001-2008

Information Gathering Techniques 2 3

4

 “Please explain what you are doing”

 “What procedures and or work instructions do you
have for this?”
 “Please show me the procedures or work
instructions for what you are doing?”
 “How do you know this is the current procedure?”
 “What happens when this procedure changes?”
 “What training have you had?”

Information Gathering Techniques 2 3

4

 “What happens when you are not here?”

 “How do you know if the measuring device you’re
using is calibrated?”
 “Please show me the records you keep for this
operation?”
 “Please show me your job description?”
 “What, in your own words, is the company quality
policy?”
 “How do you initiate corrective action?”
 “Do you train others? Do you keep records of this
training?”

Page 126
Internal Auditor Training ISO 9001-2008

Sampling 2 3
4

Sample – definition:
 “A part of a population studied to gain information
about the whole”
Auditors sample:
 Procedures
 People
 Departments
 Records
An audit sample needs to be representative
The audit sample is chosen by the auditor

NOTES:

Page 127
 Internal Auditor Training ISO 9001-2008

This page intentionally left blank.

Page 128
Internal Auditor Training ISO 9001-2008

Closing and Reporting - Work Papers

2 3
4

Auditors are required to retain records

Records can take the form of work papers
Work papers may include:
 Notes: used for interviews, visual confirmation and
record of items reviewed.
 Guidelist: used for recording specifics such as people
talked to and items reviewed
 Checklist: used for recording actual questions asked
during the audit
 Previous audit reports: used in follow-up activities
 Objective evidence: recorded during the audit

Objective Evidence 2 3
4

 Information which can be proved true, based on

facts obtained through observation, measurement,
test, or other means
 Qualitative or quantitative information, records, or
statements of fact, which is based on observation,
measurement, or test and which can be verified

JUST THE FACTS!

Page 129
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 130
Internal Auditor Training ISO 9001-2008

Evaluation Process
1) EXISTENCE: 3) Are we doing what
we say?
•Quality Manual
•Procedures Does practice match
•Work Instructions
•Specifications 2) ADEQUACY: the documentation?
•ISO 9001 4) Are the
•Other Requirements 3) COMPLIANCE: practices
1) Does a •Requirements implemented achieving
documented •Authority defined their goals?
quality 2) Does the
•Documents followed
•Records acceptable
management documented QMS 4) EFFECTIVENESS:
system exist? meet the
•Achieving goals
requirements of •Satisfying customers
ISO 9001?

Perception of Facts 2 3
4

Perceptions of the same facts may differ

Highlights the critical need to discuss audit
findings with:
 Other auditors
 Auditees
 Audit management
 Area management
Avoid:
 Misunderstanding of facts
 Misinterpretation of facts

Page 131
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 132
Internal Auditor Training ISO 9001-2008

Nonconformity Rules 2 3
4

What is a nonconformity?
 The non-fulfillment of specified requirements
Start with the requirement:
 Management System Procedure , Program,
Protocol, Schedule
 Management System Work Instruction
 Standard (ISO 9001, ISO 14001, AS9100, etc.)
 Customer contract, or purchase order , bill of
material, etc.

Nonconformity Rules 2 3
4

Just the facts, objective evidence, not opinion

Each nonconformity should be written
independently
Each nonconformity forms a problem statement
for corrective action
Use good, clear and concise English
Review with management of the area audited

Page 133
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 134
Internal Auditor Training ISO 9001-2008

1
2 3
Nonconformity Levels 4

Consider the seriousness when writing a non-

conformity
 What is the impact on the management system?
 What is the impact on product, service, or
customer?

 “Major” indicates a critical deficiency

 “Minor” indicates an isolated weakness
 “Observation” or “Opportunity” is not a
nonconformity but is an issue the auditor wants to
point out to management

Nonconformity Report 2 3
4

ISO 9001 requires that audit results be recorded

and retained
Each nonconformity must be documented
The documentation must include the following
information:
 Requirement (controlling ISO element ,organization
procedure, Customer requirement, etc.)
 Nonconformity (deficiency)
 Evidence (proof)
 Auditor(s), area audited, auditee(s), date, etc.
Ensure connectivity to work papers

Page 135
 Internal Auditor Training ISO 9001-2008

Writing Nonconformities 2 3
4

Written nonconformities should:

 State the requirement
 State the deviation or gap
 Include evidence (proof)
 Stand alone as a problem statement
Written nonconformities should not:
 Name names
 Make unverifiable observations / opinions

NOTES:

Page 136
Internal Auditor Training ISO 9001-2008

Identification of Nonconformities Exercise

1. During an audit of the Sales Department the auditor asks if employees are aware
of the quality policy. The Sales Manager says that all Sales employees are
trained in the policy and can explain it in their own words. The auditor decides
to test this by talking to a couple of Sales people. The people he interviews
don’t appear to know anything about the policy. The Sales Manager says that’s
not a problem because they are field Sales people who are contractor employees
and not regular employees.

2. During the audit of Engineering the auditor notices that there are numerous
revisions of the same drawings in the drawing file. The Engineering Manager
says that they sometimes need the obsolete drawings to respond to customer
inquiries. The auditor asks how they avoid getting confused. He is told they put
a little “x” on the lower right hand corner of the obsolete drawings. If the
drawing has an “x”, it’s not the most current. If there’s no “x”, that’s the current
drawing.

3. The Engineering Department controls the design process. They are responsible
for making certain that the design input is clear and understood and that the
design output complies with the input. The auditor asks them to describe this
process for verifying the design. They tell him that the way they do this is by
having a senior engineer review the design data and, based on his experience,
giving the OK to send the design to the customer for validation. There is no
formal sign-off or record of this process.

4. Finished goods are packaged, labeled and stored in the company finished goods
warehouse. Each of the labels bears the warning that storage conditions should
not exceed a temperature of 80 F and humidity of 70%. When the auditor asks
about the temperature and humidity of the finished goods warehouse he is told
they are unknown. The Warehouse Supervisor says the restrictions apply only
after the product is shipped.

5. Internal audits are performed on a regular basis and the deficiencies are brought
to the attention of the appropriate management personnel. The auditor selects
an audit file and asks to see the corrective actions for the deficiencies. For
several deficiencies there are no corrective actions. He is told that they don’t
initiate corrective action on all deficiencies. The management of the responsible
area evaluates the deficiencies and, based on whether or not they agree with the
internal auditor, they initiate corrective action to address the deficiency.

Page 137
 Internal Auditor Training ISO 9001-2008

NOTES:

Page 138
Internal Auditor Training ISO 9001-2008

Nonconformity Statement

Department Audited: Audit Date:

Auditor: Auditee(s):

Requirement (indicate standard or document reference):

Nonconformity:

Evidence (Proof):

Major Minor Opportunity for

Improvement

Date Corrective Action Response

Required:

Auditor Signature: Report Date:

Page 139
 Internal Auditor Training ISO 9001-2008

Nonconformity Statement

Department Audited: Audit Date:

Auditor: Auditee(s):

Requirement (indicate standard or document reference):

Nonconformity:

Evidence (Proof):

Major Minor Opportunity for

Improvement

Date Corrective Action Response

Required:

Auditor Signature: Report Date:

Page 140
Internal Auditor Training ISO 9001-2008

Nonconformity Statement

Department Audited: Audit Date:

Auditor: Auditee(s):

Requirement (indicate standard or document reference):

Nonconformity:

Evidence (Proof):

Major Minor Opportunity for

Improvement

Date Corrective Action Response

Required:

Auditor Signature: Report Date:

Page 141
 Internal Auditor Training ISO 9001-2008

Nonconformity Statement

Department Audited: Audit Date:

Auditor: Auditee(s):

Requirement (indicate standard or document reference):

Nonconformity:

Evidence (Proof):

Major Minor Opportunity for

Improvement

Date Corrective Action Response

Required:

Auditor Signature: Report Date:

Page 142
Internal Auditor Training ISO 9001-2008

Nonconformity Statement

Department Audited: Audit Date:

Auditor: Auditee(s):

Requirement (indicate standard or document reference):

Nonconformity:

Evidence (Proof):

Major Minor Opportunity for

Improvement

Date Corrective Action Response

Required:

Auditor Signature: Report Date:

Page 143
 Internal Auditor Training ISO 9001-2008

Closing Site Activities 2 3

4

Review worksheets, notes etc. for completeness

Hold an audit team meeting
Follow-up on all outstanding issues
Review nonconformities discovered with auditees
Conduct a closing meeting
 Facts only, be objective
 Be brief and organized
 Provide overall impression
 Provide time for questions
 Explain next steps

NOTES:

Page 144
Internal Auditor Training ISO 9001-2008

Section 4: Appendices
Ten Commandments of Internal Auditing

1. Thou shalt prepare an audit matrix, cross-referencing functional areas (departments)

with the elements of the standard.

This matrix is used to ensure that you cover all required elements of the standard and all areas
of the company. When the registrar’s auditor asks “How do you know you’ve covered the
entire standard and the whole company?” show him the matrix. The matrix enables you to
audit either by element or department (or both). This is a controlled document, make sure you
keep it current and include a revision date.

2. Thou shalt prepare an audit schedule that describes the dates for all the audits in your
complete cycle.

This schedule is a great tool for administering the audit process. It should include both the
date scheduled and the date performed. It’s a good practice to be able to show the registrar’s
auditor both the old schedule (for the last completed cycle) and the new schedule (for the next
proposed cycle). Schedules can always be revised so don’t be afraid if the new schedule is a
little loose. This is a controlled document, make sure you keep it current and include a revision
date.

3. Thou shalt prepare a checklist for the audit.

The checklist is a very useful tool. Use it to make sure that you don’t forget to ask a question.
Use it to record your notes, findings, observations, etc.

4. Thou shalt include the requirement, nonconforming condition and evidence for each
finding written during an audit.

The requirement should be stated in terms of the element of the standard or company
document; be as specific as possible and don’t forget to include revision level where applicable.
The nonconforming condition should state, very simply, what is being done that does not
comply with the requirement. The evidence is the proof, such as purchase order number, lot
number, document number, subcontractor, etc.

5. Thou shalt review the results of your audit with the auditee prior to issuing an audit
report.

There is no reason for not reviewing the results of the audit with the auditee prior to issuing a
report. If the auditee is busy or not available, come back later. Ensure that the auditee
understands, and hopefully agrees with the findings. There should be nothing in an audit
report that the auditee does not already know.

6. Thou shalt issue the audit report within two weeks of the audit.

The longer you take to prepare the audit report the more time it will take and the less accurate
it will be. Experienced auditors write the audit report immediately after the audit. Also, if you
promptly issue the audit report your auditees will be more likely to promptly respond to your
corrective action due dates.

Page 145
 Internal Auditor Training ISO 9001-2008

7. Thou shalt issue unique numbers for the audit, audit findings and corrective actions.

There must be a very clear link between audits, findings and corrective actions. A common way
to accomplish this is to number the audits with a department, year and audit sequence number.
For example: MFG001, where MFG is Manufacturing, 00 is the year 2000, and 1 is the first
audit. The finding number is often the audit number with a sequence number added. For
example: MFG001-1, for the first finding in audit MFG001, MFG001-2, for the second, etc.
The audit finding number should be referenced on the corrective action for that finding.

8. Thou shalt require a corrective action for every finding discovered during the internal
audit process.

This does not mean that you need to have a separate corrective action for each and every
finding. One corrective action may address several findings, and that’s OK. However, every
finding must be clearly tied to a corrective action (see Commandment # 7 above).

9. Thou shalt give the auditee a due date for each corrective action and take documented
action when an auditee is past due for a required corrective action response.

The due date is the date that the auditee is required to respond with their root cause analysis,
corrective action and the implementation schedule for that corrective action. The corrective
action need not be implemented by the due date. If an auditee fails to respond by the due
date make sure you take action, and document that action. If your records indicate that
auditees routinely miss due dates, and you cannot prove that action has been taken, this can
be a finding.

10. Thou shalt retain all evidence of the internal audit process in a readily accessible and
well-defined audit file.

When it comes to internal audit files, it pays to be a packrat; but please be an organized
packrat. Retain the annotated checklist (the checklist used by you during the audit marked up
with all your notes), audit report, finding statement and any other documentation of the audit
in the audit file. It also pays to standardize the contents of the audit files to the extent
practical.

Page 146
Internal Auditor Training ISO 9001-2008

Sample Audit Checklist

The following Internal Audit Checklist may be retrieved in electronic form via Prism’s
website at www.prismesolutions.com. The checklist is free for your internal use and
you are welcome to modify it to suit your exact needs.

Organization: M = Major Nonconformity M

Auditor: N = Minor Nonconformity N
Date: O = Observation O
C = Comment C
4 QUALITY MANAGEMENT SYSTEM
4.1 General requirements
There is a quality management system
established, documented, implemented and
maintained. (4.1)

Processes affecting the QMS:

 Are identified
 Have sequence and interaction
determined
 Are measured to ensure effectiveness
 Are monitored, measured, analyzed
 Continually improved (4.1)
4.2 Documentation requirements
The documented QMS includes:
 Quality policy and quality objectives
 A quality manual
 Required documented procedures
 Required quality records (4.2.1)
The quality manual includes:
 QMS scope
 Documented procedures or
reference to documented procedures
 Process interaction definition (4.2.2)
Quality document control is defined in a
documented procedure and adequately
addresses:
 Revision control
 Availability
 External documents
 Obsolete documents (4.2.3)
Quality record control is defined in a
documented procedure and adequately
addresses:
 Identification
 Maintenance
 Retrievability
 Disposal (4.2.4)
Auditor’s question(s):

5 MANAGEMENT RESPONSIBILITY
5.1 Management commitment
Top management commitment is evident
and communicated through the:
 Quality policy and quality objectives
 Management reviews
 Availability of resources (5.1)

Page 147
 Internal Auditor Training ISO 9001-2008

5.2 Customer focus

Customer requirements are determined and
fulfilled with the aim of enhancing customer
satisfaction. (5.2)

5.3 Quality policy

There is an appropriate quality policy in
place that:
 Includes a commitment to comply with
requirements and continually improve
 Is communicated and understood
 Is reviewed for continuing suitability
(5.3)
5.4 Planning
Appropriate quality objectives are
established that are measurable and
consistent with the quality policy. (5.4.1)

There is a QMS planning process consistent

with the needs of this standard that includes
integration of changes to the quality
management system. (5.4.2)
5.5 Responsibility, authority and communication
Responsibilities, authorities, and their
interrelation are defined and communicated
throughout the organization. (5.5.1)

There is a management representative who

has the authority and responsibility to:
 Ensure processes are established and
implemented
 Report to top management on QMS
performance and need for improvement
 Ensure promotion of awareness of
customer requirements. (5.5.2)
Appropriate communication processes are
established regarding QMS effectiveness
(5.5.3)

5.6 Management review

There is a periodic top management review
of quality system suitability, adequacy and
effectiveness supported by appropriate
records. (5.6.1)
Management review input includes:
 Audit results
 Customer feedback
 Process performance and product
conformity
 Corrective and preventive actions
 Follow-up of previous management
review meetings
 Planned changes affecting the QMS
 Recommendations for improvement
(5.6.2)
Management review output includes:
 Improvement of QMS effectiveness and
its processes
 Improvement of product related to
customer requirements
 Resource needs (5.6.3)

Page 148
Internal Auditor Training ISO 9001-2008

Auditor’s question(s):

6 RESOURCE MANAGEMENT
6.1 Provision of resources
Adequate resources are provided to
implement and maintain the QMS,
continually improve its effectiveness and
enhance customer satisfaction. (6.1)
6.2 Human resources
Personnel performing work-affecting quality
are qualified on the basis of education,
training, skills and experience supported by
appropriate records. (6.2.1)
For work affecting quality the organization
has:
 Determined necessary competence
 Provided training
 Evaluated training effectiveness
 Ensured QMS awareness (6.2.2)

6.3 Infrastructure
Infrastructure is adequate to conform to
product requirements. Infrastructure
includes:
 Buildings, workspace, utilities
 Equipment, hardware, software
 Transport, communication (6.3)

6.4 Work environment

The work environment is consistent with the
needs to achieve conformity to product
requirements. (6.4)

Auditor’s question(s):

7 PRODUCT REALIZATION
7.1 Planning of product realization
Product realization planning is performed, as
appropriate, to determine:
 Quality objectives and product
requirements
 Product specific processes, documents
and resources
 Product specific verification, validation,
monitoring, inspection and test
activities
 Appropriate records needed to
provide evidence. (7.1)

7.2 Customer-related processes

The organization has determined:
 Customer specified requirements
 Requirements necessary for specified
use or known and intended use
 Statutory and regulatory requirements
(7.2.1)

Page 149
 Internal Auditor Training ISO 9001-2008

Contract review activities adequately ensure:

 Product requirements are defined
 Discrepancies resolved
 Capability to meet requirements
This is performed prior to organization
commitment. (7.2.2)

There are provisions to document and

deploy contract changes throughout the
organization? (7.2.2)

Records of contract review and the action

arising from these activities are maintained.
(7.2.2)

There are effective processes for

communication with the customer in relation
to product information, queries,
amendments, feedback and complaints.
(7.2.3)

7.3 Design and development planning

There is a design and development plan,
updated as appropriate, that includes:
 Design stages
 Design review, verification & validation
 Responsibilities & authorities (7.3.1)

The interfaces between different groups

involved in design and development are
managed to ensure effective communication
and clear assignment of responsibility.
(7.3.1)

Design inputs are determined and include:

 Functional & performance requirements
 Statutory & regulatory requirements
 Information from previous similar
designs (where applicable)
Records of design inputs are maintained.
Inputs are reviewed for adequacy. (7.3.2)

Design outputs are in a form that enables

verification and are approved prior to design
release. (7.3.3)

Design reviews are conducted at appropriate

stages to evaluate project status and identify
problems.
Records of the results of design reviews
and necessary actions are maintained.
(7.3.4)

Design reviews include participants from

concerned. (7.3.4)

Design verification is performed to ensure

output satisfies input requirements.
Records of the results of design verification
and necessary actions are maintained.
(7.3.5)
Design validation is performed in accordance
with planned arrangements. Records of the
results of design validation and necessary
actions are maintained. (7.3.6)

Page 150
Internal Auditor Training ISO 9001-2008

Design changes are reviewed, verified,

validated (as appropriate), and approved
before implementation. Records of design
change results and actions are maintained.
(7.3.7)

Page 151
 Internal Auditor Training ISO 9001-2008

7.4 Purchasing
Suppliers are evaluated and selected based
on their ability to meet product
requirements. Acceptance criteria are
established. Records of evaluation results
and necessary actions are maintained.
(7.4.1)
Purchasing information, as appropriate,
describes requirements for:
 Approval of product, procedures,
processes and equipment
 Qualification of personnel
 Quality management system (7.4.2)
The organization ensures the adequacy of
specified purchase requirements prior to
communication to the supplier. (7.4.2)

Inspection and other activities are

established and implemented to ensure
purchased product meets specified
requirements. (7.4.3)
Provisions for source inspection, by either
the organization or the customer, are
addressed. (7.4.3)

7.5 Production and service provision

Production and service are carried out under
controlled conditions including, as applicable:
 Product characteristics
 Work instructions
 Suitable equipment
 Measuring devices
 Release and delivery activities (7.5.1)
Special processes are validated to assure
they achieve planned results. (7.5.2)

Validation of special processes includes, as

applicable:
 Defined validation criteria
 Personnel and equipment
 Specific methods and procedures
 Record requirements
 Revalidation requirements (7.5.2)
Product is identified, as appropriate, through
all production processes. (7.5.3)

Inspection and/or test status is suitably

identified through all production processes.
(7.5.3)

Traceability, where required, is adequately

provided and supported by records. (7.5.3)

Customer property provided for use or

incorporation into the product is identified,
verified, protected and safeguarded. (7.5.4)

Customer property that is lost, damaged or

otherwise unsuitable for use is reported to
the customer with records maintained.
(7.5.4)

Page 152
Internal Auditor Training ISO 9001-2008

Product conformity is preserved through all

production processes and delivery to the
intended destination. (7.5.5)

7.6 Control of monitoring and measuring devices

Monitoring and measuring devices provided
to determine conformity to product
requirements are adequate. (7.6)

Monitoring and measuring devices required

to determine conformity to product
requirements are identified. (7.6)

Where necessary to ensure accuracy,

measuring devices are:
 Calibrated at specified intervals
 Identified concerning calibration status
 Safeguarded from improper adjustment
 Protected from damage and
deterioration
Records of the results of calibration are
maintained. (7.6)

Where devices are found not conforming to

requirements, the validity of previous
measurements is assessed. Records of
these assessments are maintained. (7.6)

The capability of computer software, when

used in conjunction with measuring devices,
is confirmed as necessary. (7.6)

Auditor’s question(s):

8 MEASUREMENT, ANALYSIS AND IMPROVEMENT

8.1 General
Appropriate methods have been determined
to monitor, measure, analyze and improve
processes to:
 Demonstrate conformity of product
 Ensure conformity of the QMS
 Continually improve QMS effectiveness
(8.1)
8.2 Monitoring and measurement
Information relating to customer perception
of organization quality is gathered and
analyzed. (8.2.1)

Internal audits are conducted at planned

intervals to determine whether the QMS:
 Conforms to planned arrangements
 Is implemented and effective (8.2.2)

Audits are planned based on status and

importance of the activity as well as results
of previous audits. (8.2.2)

Page 153
 Internal Auditor Training ISO 9001-2008

Audit criteria, scope, frequency and methods

are defined. (8.2.2)

Auditors are independent of the area being

audited. Auditors do not audit their own
work. (8.2.2)

Responsibilities and requirements for

planning and conducting audits, reporting
results and maintaining records are defined
in a documented procedure. (8.2.2)

Action is taken without delay to address

nonconformities. Follow-up activities verify
actions taken and the reporting of results.
(8.2.2)

Suitable methods are applied for monitoring

and, where applicable, measuring QMS
processes. These methods demonstrate the
ability of processes to achieve planned
results. (8.2.3)
Where processes do not achieve planned
results correction and corrective action, as
appropriate, is taken. (8.2.3)

At appropriate stages, product characteristics

are monitored and measured to verify
product requirements are fulfilled. (8.2.4)

Records of conformity with acceptance

criteria are maintained and indicate the
person(s) authorizing release of the product.
(8.2.4)

Product release and service delivery does not

proceed until all planned arrangements have
been completed unless approved by relevant
authority. (8.2.4)

8.3 Control of nonconforming product

Nonconforming product is identified and
controlled to prevent unintended use. This
process, including responsibilities and
authorities, is defined in a documented
procedure. (8.3)

Nonconforming product is handled in one or

more of the following ways:
 Action taken to eliminate the
nonconformity
 Authorizing its use under concession by
a relevant authority
 Action to preclude its original use (8.3)

Records of nonconformities and any

subsequent actions, including concession,
are maintained. (8.3)

Nonconforming product that is corrected is

re-verified to demonstrate conformity to
requirements. (8.3)

Page 154
Internal Auditor Training ISO 9001-2008

When nonconforming product is detected

after delivery or use, action appropriate to
the effects, or potential effects, is taken.
(8.3)

8.4 Analysis of data

Appropriate data is determined, collected
and analyzed to:
 Demonstrate the suitability and
effectiveness of the QMS
 Evaluate opportunities for continual
improvement (8.4)

Data analyzed includes:

 Customer satisfaction
 Product conformance
 Process and product characteristics and
trends
 Suppliers (8.4)

8.5 Improvement
The QMS is continually improved through the
use of:
 Quality policy and objectives
 Audit results
 Analysis of data
 Corrective and preventive actions
 Management review (8.5.1)
A corrective action process, defined by
documented procedure, is in effect and
includes:
 Product nonconformities
 Customer complaints
 Root cause analysis
 Determining and implementing action
needed
 Verification of CA effectiveness
Records of CA results (8.5.2)

A preventive action process, defined by

documented procedure, is in effect and
includes:
 Determining potential nonconformities
 Evaluating need for action
 Determining and implementing action
needed
 Verification of PA effectiveness
Records of PA results (8.5.3)

Auditor’s question(s):

Page 155