https://www.slideshare.

net/AntoniusPompiBramono/10-powerful-audit-questions

 10 Powerful Audit Questions

1. 1. Ten Powerful Audit Questions Antonius P. Bramono – [email protected]
2. 2. #1 – Are Personnel Aware of the Quality Policy & Quality Objectives? Antonius P.
Bramono – [email protected]
3. 3. • ISO 9001:2008 requires that organizations establish measurable objectives at relevant
functions and levels (Clause 5.4.1) and that the quality policy is communicated and
understood (Clause 5.3 d). • Perhaps an even more significant requirement is that personnel
understand how they contribute to achieving these objectives (Clause 6.2.1). • These
requirements don't just apply to SOME employees; they apply to EVERYONE. All personnel
must be able to explain how they help achieve objectives. Quality Objectives & Quality Policy
Antonius P. Bramono – [email protected]
4. 4. • Not all objectives apply to everyone. Auditors can only expect that personnel understand
the quality objectives that apply to them. • Interviews with personnel allow the auditor to
verify if they have appropriate awareness, understanding and knowledge of the way the
organization's quality policy and objectives relate to their own activity, regardless of the
terms used to express their understanding. Quality Objectives & Quality Policy – cont’d
Antonius P. Bramono – [email protected]
5. 5. • This question directly reflects on an organization's ability to communicate what matters
most to its success. • Truly comprehending objectives means that people understand
specifically what they can do to improve the organization. • They appreciate the significance
of their roles and are prepared to carry them out. Quality Objectives & Quality Policy – cont’d
Antonius P. Bramono – [email protected]
6. 6. • This knowledge creates strategic focus throughout the organization. Instead of having a
limited view of activities and tasks, personnel begin to understand how their jobs link to the
organization's larger mission. Quality Objectives & Quality Policy – cont’d Antonius P.
Bramono – [email protected]
7. 7. • Quality objectives are not static and need to be updated in the light of the current
business climate and the quest for continual improvement. Also remember that there is a
clear link between the dynamic aspect of revising the quality policy and the quality objectives
and the commitment of the organization to continual improvement. Quality Objectives &
Quality Policy – cont’d Antonius P. Bramono – [email protected]
8. 8. • Closely related questions include: How are objectives determined? How employees
are made aware of the quality policy and objectives? How is progress towards objectives
measured and communicated? What processes and/or tools are in place to help achieve
objectives? Is there evidence of progress? Quality Objectives & Quality Policy – cont’d
Antonius P. Bramono – [email protected]
9. 9. #2 – What Happens to Non-conforming Product?
10. 10. • This question reflects on the organization's ability to deal with product problems in a
systematic way. Controlling non-conforming products is a basic discipline (Clause 8.3) and
one that smart auditors always probe. The answer to this question can be compared to the
documented procedure and, more importantly, to the auditor's observations. • Few other
processes require as rigid adherence to procedures as controlling non-conforming products.
There can be no room for deviation. Nonconforming Product Antonius P. Bramono –
[email protected]
11. 11. Problems relating to controlling non-conforming products almost always pose significant
risks to the organization e.g. additional costs, wasted time, aggravated employees, angry
customers and loss of business. Antonius P. Bramono – [email protected]
12. 12. • During an audit, find some examples of non-conforming products (if there are any) and
follow-up with these questions:  How are nonconforming products identified?  Where are
they located?  What are the responsibilities and authorities related to dealing with non-
conforming products?  How is disposal determined and implemented?  Where are the
records of non-conforming products and actions taken on them?  Are there trends in non-
conforming products and what's being done about it?  How is the procedure linked to the
corrective action process? Nonconforming Product – cont’d Antonius P. Bramono –
[email protected]
13. 13. #3 – How are Customer Requirements Assessed and Communicated? Antonius P.
Bramono – [email protected]
14. 14. • During an audit, find some examples of non-conforming products (if there are any) and
follow-up with these questions:  How are nonconforming products identified?  Where are
they located?  What are the responsibilities and authorities related to dealing with non-
conforming products?  How is disposal determined and implemented?  Where are the
records of non-conforming products and actions taken on them?  Are there trends in non-
conforming products and what's being done about it?  How is the procedure linked to the
corrective action process? Customer Requirements Antonius P. Bramono –
[email protected]
15. 15. • The standard additionally requires that information describing the product be available
(i.e., documented). Asking how personnel access product requirements is an important audit
question because when requirements aren't accessible, big problems often result.
Employees don't need to know product requirements by heart, but they should certainly be
able to find the current versions of requirements and describe how they carry them out.
Customer Requirements – cont’d Antonius P. Bramono – [email protected]
16. 16. • Follow up questions could include: Are product requirements complete? How does
the organization ensure that only the correct versions are available? How are requirements
reviewed prior to acceptance? How do you ensure that product meets the stated
requirements? What happens when changes are made to product requirements? Customer
Requirements – cont’d Antonius P. Bramono – [email protected]
17. 17. #4 – How is Problems Prevented? Antonius P. Bramono – [email protected]
18. 18. • Problem correction is relatively simple: Define the problem, identify the cause and take
action to remove it. Problem prevention is rather more complex. Preventive action is
specifically required by ISO 9001:2008 (Clause 8.5.3), and it provides one of the most
valuable links to continual improvement. • The most obvious way to generate preventive
action is by analyzing data (Clause 8.4). Data analysis is a primary job of top management,
but it can happen at other levels of the organization too. When an organization openly
shares data and encourages its analysis on a broad scale, then preventive action becomes
easy. Preventive Action Antonius P. Bramono – [email protected]
19. 19. • Employee creativity and innovation can also be a valuable starting point for preventive
action. Forward thinking organizations look for ways to solicit improvement ideas from their
employees and provide feedback on the viability of the ideas. Another source of preventive
action is feedback from customers. Often, customers will provide ideas for improving the
product in subtle yet significant ways. Preventive Action – cont’d Antonius P. Bramono –
[email protected]
20. 20. • Additional questions could include:  How do data trends get analyzed?  How do
employees communicate their improvement ideas?  How do preventive actions get
recorded?  Are statistical techniques (e.g. SPC, QC 7 tools, FMEA) used?  How are
customer perceptions captured?  How are critical pieces of plant and equipment
maintained?  Is there a disaster recovery procedure?  Is the work environment
appropriate? (Ref. Clause 6.4) Preventive Action – cont’d Antonius P. Bramono –
[email protected]
21. 21. #5 – How is Customer Satisfaction Data Collected and Used? Antonius P. Bramono –
[email protected]
22. 22. • This question probably won't apply to all personnel but it's especially relevant to top
management and employees responsible for gauging customer perceptions. • The question
is significant because most organizations manage fairly well to capture perceptions but
usually fall short of actually doing something with the information. Customer Satisfaction
23. 23. • ISO 9001:2008 (Clause 8.2.1) specifically requires that organizations define methods
for obtaining and using customer satisfaction data. • Customer feedback is a process. It
needs to be audited as a process, not as a “clause of the standard”. • The audit also needs
to be performed on the way in which the process is managed (Clause 4.1.c), and its ability to
provide meaningful information with which to judge the overall effectiveness of the QMS.
Customer Satisfaction Antonius P. Bramono – [email protected]
24. 24. • The way in which the organization obtains this feedback (“the method”) is up to the
organization to define. This is another reason for relying on simple methods for capturing
customer perceptions: Experience suggests that the more complex and resource-intensive
your customer satisfaction methods are, the less likely you'll take action on what you learn.
It's a curious paradox. Customer Satisfaction – cont’d Antonius P. Bramono –
[email protected]
25. 25. • Many organizations run out of gas before they get to the action phase, and the valuable
opportunities afforded by customer feedback are ignored as other problems arise. Customer
Satisfaction – cont’d Antonius P. Bramono – [email protected]
26. 26. • The auditor should recognize that many factors can affect the organization's approach,
and that there is no fixed “recipe”. Consideration should be given to factors such as: The
organization's size and complexity The level of sophistication of products and customers
The risks associated with the product The diversity of the customer base Customer
Satisfaction – cont’d Antonius P. Bramono – [email protected]
27. 27. • Here are some supplementary questions:  How is customer satisfaction data
analyzed?  How are opportunities identified, prioritized and actioned?  What's the
connection to the corrective and preventive action systems?  What are the organization's
long-term trends in customer satisfaction?  How are resources for customer satisfaction
identified and provided?  What connections exist between customer satisfaction and the
organization's objectives? Customer Satisfaction – cont’d Antonius P. Bramono –
[email protected]
28. 28. #6 – How is Customer Complaints Handled?Antonius P. Bramono –
[email protected]
29. 29. • Despite everyone's best efforts, customers will occasionally complain. Customer
complaints represent both a huge risk and a valuable opportunity to the organization-it all
depends on how they're handled. • This question is especially relevant to sales people,
customer service representatives, technical personnel and top management. • The auditor is
looking for proof of a systematic approach to dealing with complaints. Customer Complaint
Antonius P. Bramono – [email protected]
30. 30. • Despite everyone's best efforts, customers will occasionally complain. Customer
complaints represent both a huge risk and a valuable opportunity to the organization-it all
depends on how they're handled. • This question is especially relevant to sales people,
customer service representatives, technical personnel and top management. • The auditor is
looking for proof of a systematic approach to dealing with complaints. Customer Complaint –
cont’d Antonius P. Bramono – [email protected]
31. 31. • This will typically include defined responsibilities for logging and tracking complaints,
clear problem statements with all relevant facts included determination of problem causes
and actions that address the causes. • Specific examples of complaints must be sampled, of
course. The link between the complaint process and corrective action also requires special
scrutiny (Clause 8.5.2). Customer Complaint – cont’d Antonius P. Bramono –
[email protected]
32. 32. • Here are some follow up questions: What's the largest complaint category? What's
being done about it? Has the number of complaints changed over time? How are
personnel trained in their roles in preventing complaints? What tools are used to identify the
causes of complaints? Customer Complaint – cont’d Antonius P. Bramono –
[email protected]
33. 33. #7 – How Does Top Management Demonstrate Commitment?
34. 34. • An auditor with limited experience should NEVER be assigned to interview top
management. One of top management's most important responsibilities is reviewing the
organization's performance. • Is your organization becoming more efficient, more
competitive, better at serving customers, or is it moving in the opposite direction? Top
Management Commitment Antonius P. Bramono – [email protected]
35. 35. • Top management should regularly analyze the data that provide the answers to these
questions. ISO 9001:2008 (Clause 5.6) specifically requires management review with
defined inputs and outputs. And there's no sense in conducting an ISO 9001 management
review, then conducting a separate review of the organization's performance - they should
be one and the same. Top Management Commitment Antonius P. Bramono –
[email protected]
36. 36. • Some of the best approaches to reviewing organizational performance are the most
creative. Many organizations conduct their management reviews in a number of different
forums and time frames, which is a practical and realistic way to approach the process. •
Regardless of how the review is conducted, the three key points are data analysis,
identifying opportunities and taking action on them. • Smart organizations treat these three
activities as inseparable. Top Management Commitment – cont’d Antonius P. Bramono –
[email protected]
37. 37. • Here are some related questions:  Are policies and objectives available and relevant?
 Is there a clear link between the policies and objectives?  Who's involved in reviewing the
organization's performance?  What actions have resulted from these reviews?  How are
records of the reviews generated?  Are all required inputs and outputs addressed by
records?  How does the rest of the organization learn of actions arising from reviews? Top
Management Commitment – cont’d Antonius P. Bramono – [email protected]
38. 38. #8 – How is Continual Improvement Demonstrated?
39. 39. • This question can be asked of everyone, especially top management in organizations
that have developed improvement tools and provided opportunities for their application, this
is an easy question. • In organizations where improvement efforts are very narrowly applied,
it becomes a much harder question. There should certainly be some evidence of continual
improvement within the scope of most, if not all, audits. Continual Improvement Antonius P.
Bramono – [email protected]
40. 40. • Large-scale improvements are impressive, of course, but all improvements have value.
This question actually summarizes many of the earlier questions into a single point of inquiry.
• The ultimate purpose of a management system is to provide a means for improvement. •
Just because one or two people aren't able to provide evidence of improvement isn't
necessarily a problem. It may indicate weak improvement efforts, though, and further
investigation would certainly be needed. Continual Improvement – cont’d Antonius P.
Bramono – [email protected]
41. 41. • In a mature QMS, all personnel are involved in making improvements, and proof of this
happening is abundant. • Look for evidence that the organization is analyzing data from
process monitoring, and is then taking the results forward for evaluating process efficiency
and/or improving process output. • One point that should be specifically examined is the
consistency of the way in which the improvement of any one process contributes to meeting
the overall objectives, so as to ensure that this will not conflict with the achievement of other
objectives. Continual Improvement – cont’d Antonius P. Bramono – [email protected]
42. 42. • The type of information that an auditor needs is evidence of how the company
objectives are translated into specific QMS objectives. For example: the organization has set
 an objective to reduce customer complaints by 20%. Analysis shows that 50% of those
complaints are because of overdue deliveries. • The auditor should then look for evidence
that the organization is monitoring and analyzing key aspects of its scheduling and planning
activities to reduce delays. Continual Improvement – cont’d Antonius P. Bramono –
[email protected]
43. 43. • These are some additional points to investigate: Who's involved in improvement
efforts? What tools are used to pursue continual improvement? How are personnel trained
to use improvement tools? How are ideas for improvement prioritized? How employees
are made aware of improvement efforts and successes? Continual Improvement – cont’d
Antonius P. Bramono – [email protected]
44. 44. #9 – How is Training Needs Determined? Antonius P. Bramono – [email protected]
45. 45. • Developing human resources is one of the keys to organizational success. • This audit
question attempts to probe the degree of planning that goes into developing these
resources. Is training performed as a knee-jerk activity with no real objectives? Or is it
geared toward empowering each employee with the skills and knowledge needed to move
the organization forward? • During the audit, make sure to probe the training needs that have
been determined for all levels of personnel: hourly, salaried, contract, technicians, line-
managers and top management. Training Needs Antonius P. Bramono –
[email protected]
46. 46. • Training is an activity that applies to all personnel, not just a narrow slice of the
organization. • The auditor should determine whether there is a systematic approach in place
to identify skills and competencies and to verify that the approach is effective. • The outcome
of the process may be a list, register, database, human resources plan, competencies
development plan, contract, project or product plan, etc. Training Needs – cont’d Antonius P.
Bramono – [email protected]
47. 47. • Training is an activity that applies to all personnel, not just a narrow slice of the
organization. • The auditor should determine whether there is a systematic approach in place
to identify skills and competencies and to verify that the approach is effective. • The outcome
of the process may be a list, register, database, human resources plan, competencies
development plan, contract, project or product plan, etc. Training Needs – cont’d Antonius P.
Bramono – [email protected]
48. 48. • Verify that some form of evaluation process is in place to ensure that the competencies
are appropriate to the organization's activities, and that the personnel are demonstrating
those competencies. Training Needs – cont’d Antonius P. Bramono – [email protected]
49. 49. • Here are some additional questions: What kind of training is given to new employees?
(including those on short-term contracts) How are personnel made aware of the
organization's mission, values and measurable objectives? How is the effectiveness of
training evaluated? What happens when training is determined to have been ineffective?
What records of training are maintained? Training Needs – cont’d Antonius P. Bramono –
[email protected]
50. 50. #10 – How Do I Audit a Process? Antonius P. Bramono – [email protected]
51. 51. • You will start at either the beginning or the end of the organization's workflow and follow
a sample of orders, contracts, projects, products, etc. through the organization. This is a
process audit. • Sometimes on an internal audit you may not have time to do the entire
process in one audit - in which case break the process into manageable chunks and use that
as your audit schedule. Audit a Process – cont’d Antonius P. Bramono –
[email protected]
52. 52. • The first task for the auditor is to establish what the process is there to achieve. If it is a
sales department, it could be that its primary function is to provide an effective interface
between the organization and its customers, and to enter clear, accurate customer orders
onto the computer system in a timely manner. (These may turn out to be the ‘quality
objectives' for that process as required by Para 5.4.1). Audit a Process – cont’d Antonius P.
Bramono – [email protected]
53. 53. • If these are the most important objectives of that process, then the audit must
concentrate on verifying whether or not they are being achieved. • Performance is often best
proven by looking at how well output of Process A satisfies the input requirements of
Process B. For example: how often does Process B have problems with the data entered,
how many customer complaints have arisen due to inaccurate or late information being
entered? Audit a Process – cont’d Antonius P. Bramono – [email protected]
54. 54. • If there is a documented procedure in place it should define the process and the steps
to be taken to ensure that the objectives are achieved. Audit a Process – cont’d Antonius P.
Bramono – [email protected]
55. 55. • Consider these points:  Is there continuity between the various processes in the
organization?  Is the task done consistently on a person-to-person, day-to-day basis?  Do
the interfaces between the departments operate smoothly?  Does product and information
flow freely?  Is the procedure right?  Does it meet the Standard?  Is it helping the
organization effectively? Audit a Process – cont’d Antonius P. Bramono –
[email protected]
56. 56. • There is clearly no advantage in verifying that the procedure is being followed if the
result is not beneficial to the organization, and consequently, the customers. Audit a Process
– cont’d Antonius P. Bramono – [email protected]
57. 57. • All these questions are based on specific ISO 9001 requirements and in light of ISO
9001:2008 Clause 8.2.2, the unavoidable implication is that internal auditors must now have
an understanding of ISO 9001, rather than solely focusing on procedures. • An audit of your
key quality management activities will always be more relevant and produce more
meaningful results than a simple procedural audit. • Most of these high-level questions can
also use to supplement your own checklists as part of your routine internal audits. You may
well want to refine this list based on special concerns and risks faced by your company.
Summary Antonius P. Bramono – [email protected]
58. 58. Antonius P. Bramono – [email protected]
59. 59. Please contact: Antonius P. Bramono  E: [email protected] Antonius P. Bramono
– [email protected]
60. 60. Antonius P. Bramono – [email protected]
Sample Audit Committee Questions to
Ask of Auditors and Management
Download PDF Version

To assist the audit committee in performing its duties, the following is a list of questions it may ask the
auditors and management in the context of periodic discussions (i.e., audit planning meeting and post-audit
meetings). However, committees are cautioned against falling into a checklist mentality where the basic goal is
completion of the checklist itself, rather than conducting their own organization-specific investigation.
Accordingly, these questions should be tailored to the circumstances of each organization. You may find many
of the following questions are appropriate to ask more broadly of both the auditors and management.

Audit Planning Meeting

Ask the External Auditors
 Did you discuss any major accounting or auditing issues with management prior to your retention,
your responses to which were, or might be considered to be, a condition of your retention?
 (If there is a new auditor this year) What steps will be taken to ensure an orderly transition from the
prior auditor?
 What is the planned scope of your audit, (i.e., will all of the subsidiaries be examined, what
percentage of inventories will be observed, what percentage of accounts receivable will be confirmed,
how will you verify accounts payable?) Will auditing procedures be rotated (i.e., financial statement
areas, locations, etc.)?
 Are there any subsidiaries or activities that will not be audited that present operational or financial
risks but are not viewed as “material?”
 How can your planned audit scope be relied upon to detect material errors, fraud, illegal acts or
material weaknesses in internal control?
 How will the involvement of the internal auditors be coordinated with your audit?
 Does the organization use the services of other external auditors? What is the percentage of assets,
revenues and net income for which they will be responsible? How will you determine the quality of
their work? Will your report make reference to the other external auditors?
 Are there any concerns with how management controls key business processes? Have the key
processes been appropriately identified?
 Are there any areas where the organization could be of greater assistance to reduce the amount of time
spent by you?
 Will your risk assessment of the internal control policies and procedures enable you to reduce audit
testing performed in conjunction with the integrated audit?
 What risk assessment techniques will you use?
 What criteria do you use to determine materiality?
 How will you utilize computer auditing techniques to review our computer processes?
 Will you use statistical sampling?
 How does the planned scope of your audit differ from the prior year?
 How do you intend to staff the engagement? Will there be personnel continuity from the prior year?
What is the expected level of participation by the engagement partner?
 How do you plan to detect the existence of related party transactions?
  Are there any proposed accounting, auditing, tax or reporting rules that could materially affect the
organization’s financial statements?
 How do you ensure independence? Are there any matters that might reasonably be thought to bear on
your independence?
 Are there any unresolved questions from the prior year’s audit?
 Do you anticipate any special problems in this year’s audit?

 
Ask the Internal Auditors
 Has management been responsive to your and the external auditors’ previous findings and
recommendations? What previous year internal control recommendations from either the external
auditors or as a result of your procedures have not been adopted?
 Were there any areas of concern that were not reviewed due to budget or other limitations?
 Have your audits identified areas of concern to the overall entity environment? Have any specific
locations or areas been identified?
 Does management give appropriate consideration to your views?
 What is your relationship with the external auditors?
 How would you assess the information systems control environment, including key business
information systems? How is security over these systems maintained?
 What work will you be doing to assist the external auditors? Could this work be expanded for greater
audit efficiency?
 How do you monitor the organization’s policies and procedures to prevent improprieties?
 What were the scope and results of internal audits this past year?
 How are risks identified?
 What procedures are in place to prevent/address the risk of management override of controls?
 How is the internal audit staff remaining current with respect to changes in accounting and financial
reporting requirements? Are there appropriate training mechanisms in place?
 (For multi-locations) Do you and the external auditors plan to visit all of the organization’s locations
this year? If not, what are your criteria for site visits?

 
Ask Accounting Management
 Were there any major changes in operations this year?
 Are there any areas that require special attention due to high business or financial risks?
 What are the organization’s policies and procedures to deter conflicts of interest and illegal acts, and
how are they monitored?
 How does the organization minimize the risk of fraudulent financial reporting?
 What are the organization’s revenue recognition policies?
 Are there any major write-downs or other significant transactions that will affect the financial
statements?
 Were there any significant changes in accounting estimates or models used in making accounting
estimates? If yes, what changes were made and what are the financial statement effects?
 Is the organization contemplating any changes in accounting methods?
 Should the audit committee be aware of any problems, tax or legal difficulties?
 Does management have the appropriate resources to assess the effectiveness of internal control over
financial reporting?
 Are there policies and procedures in place for disclosing internal accounting control deficiencies and
frauds or illegal acts identified to the auditors and the audit committee?
  How is management remaining current with respect to changes in accounting and financial reporting
requirements? Are there appropriate training mechanisms in place?
 How do you define materiality? How is this different from the auditors’ determination of materiality?
 Were there any significant systems implemented or modified that could impact processing of
transactions?

Post-Audit Meeting
Ask the External Auditors – General Questions
 Did the scope of the audit differ from the audit plan?
 Were you provided with all the information you requested? Do you have any reason to believe that
information was withheld from you or that management representations were incorrect?
 Did the organization or its counsel impose any limitations on you?
 Did you observe any areas of serious concern over the corporate control environment? Were any
integrity or honesty concerns noted?
 Did you detect any material errors, fraud, illegal acts or significant deficiencies or material
weaknesses in the internal control system?
 Were there any significant changes in financial statement amounts from the prior year? What were the
causes of the changes?
 Did you have enough time to complete all phases of your audit?
 Will your opinion be unmodified? If not, why?
 (For multi–location engagements) How did you ensure that work performed by your audit firm or
other audit firm(s) in other locations has been pre–approved and does not impair independence?
 Did management consult with you on tax matters? Is the liability for taxes adequate to cover potential
assessments?
 Were there any disagreements regarding accounting, auditing or reporting matters between you and
management? If so, how were they resolved?
 Did management pressure you on contentious issues by threatening to “shop” for other auditors?
 Were any adjustments or disclosures proposed by you not recorded by the organization?
 Are there any unresolved matters?
 Are the accounting principles used by the organization overly conservative or aggressive? What would
be the effect of using alternative principles? Do the accounting principles conform to industry
practice?
 Were there any changes in accounting principles?
 How did you satisfy yourself as to the reasonableness of any significant accruals or estimates made by
management (e.g., doubtful accounts, valuation allowances, environmental contingencies, etc.)?
 Were there any unusual items that affected the change in net assets? Are they properly accounted for
and will they be adequately disclosed?
 Did you review information furnished to others (e.g., actuaries)?
 Are you satisfied that there is no substantial doubt about the organization’s ability to continue as a
“going concern?”
 When do you expect to issue your report?
 Are there any significant concerns about information systems and their ability to process, record and
report financial transactions?
 Were there any related party transactions noted as a result of your audit? Are the transactions properly
recognized and disclosed in the financial statements?
 How did you satisfy yourself that pending or threatened lawsuits are not likely to have a material
effect on the financial statements? Has management provided adequate disclosures within the
financial statements?
  In your review of other documents prepared by management (e.g., annual report, IRS Form 990, etc.),
did you identify any inconsistencies or material misstatements of fact?
 What is management’s attitude toward establishing strong internal controls? Does it set an effective
example for the entire organization? Does it follow up on suggested changes? Were weaknesses
reported by you last year remediated? Was management receptive to your recommendations?
 Are there any material weaknesses in the organization’s internal controls that have not been
remediated, including computer security controls? Are appropriate changes being instituted?
 Did you encounter any difficulties in obtaining the management representation letter or any specific
representations?
 What is your general assessment of the integrity and competence of the organization’s financial,
accounting, computer and internal audit staffs? Are they respected groups within the organization?
Are they effective? What improvements would you recommend?
 How do actual engagement fees incurred for the year compare to the estimated fees?
 What percentage are the audit fees for this engagement in relation to your firm’s total fees? Is that
material?
 What can the organization do to reduce the audit time?
 What are the advantages to the organization in continuing its relationship with your firm?
 Are there any other items that should be discussed with the audit committee?

 
Ask the Internal Auditors
 What was the extent of your work on the audit and were there any changes to the scope of work
performed?
 Was there adequate coordination with the external auditors?
 Did management impose any limitations on you?
 Were any significant problems encountered?
 Are you aware of any actual or possible illegal or questionable payments?
 Are you aware of any conflicts of interest between officers or employees and the organization?
 Are you aware of any significant deficiencies or material weaknesses in internal control not identified
by management or the external auditors?
 Are you aware of any related party transactions not disclosed in the financial statements?
 What are the department’s goals and objectives for this year?
 What will be the scope of your activities this year?
 How will you monitor the organization’s code of conduct?
 Do you feel your staffing is adequate?
 What additional work could you do to reduce the work of the external auditors?
 What is your evaluation of the external auditors’ services for the past year?
 Are the organization’s systems functioning with maximum efficiency at minimum cost?
 What is your assessment of the capabilities of management?
 Are there any other items that should be discussed with the audit committee?

 
Ask Accounting Management
 What was your reaction to the audit findings?
 Were there any disagreements between you and the external auditors? If so, how were they resolved?
 Are the financial statements fairly presented?
 What are the reasons for financial statement variations from the prior year?
  What was the substance of significant issues raised by either internal corporate or outside counsel, and
how are these matters reflected in the financial statements?
 Did you consider any changes in accounting principles that were not ultimately adopted?
 Did you seek the opinions of other auditing firms on any accounting or auditing issues?
 Were any problems or difficulties identified as a result of the audit that we should know about?
 What is your opinion of the auditing services performed by the external auditors?
 Were any significant deficiencies or material weaknesses identified and communicated to us pervasive
across the organization or were they limited to a specific location or account? Have these been
remediated?
 Were there any other deficiencies identified by you that were not reported to the audit committee
(whether or not they have been remediated)?
 Were there any errors or adjustments noted by you that were not recorded?
 What is your reaction to the suggestions contained in the external auditors’ management letter?
 What actions do you contemplate in response to these suggestions?
 What is your evaluation of the external auditors’ services this past year?
 What significant changes do you foresee for the organization this year?
 Are there any other items that should be discussed with the audit committee?

Essential Audit Questions for ISO 9001:2015

 Published on January 25, 2016
Craig Cochran

International quality expert and consultant

13 articles Follow

If you’re preparing to start auditing against ISO 9001:2015, you’ve probably already asked
yourself the timeless question: What the heck am I going to ask these people? There’s no worse
feeling in the world than being in the middle of an audit and realizing that you don’t have
anything to say in the way of questions. Preparation and planning can remedy this, of course, but
the fact remains that ISO 9001:2015 includes a lot of new requirements that have never been part
of most audits. In order to expedite your thinking, these are what I believe to be the most
important audit questions for ISO 9001:2015:

1. What can you tell me about the context of your organization? This question is the starting
point of ISO 9001:2015, appearing in section 4.1. The standard uses the clunky term "context,"
but this could easily be substituted by asking about the organization's internal and external
success factors. Questions about context are usually directed at top management or the person
leading the QMS (formerly known as the management representative). As an auditor, you’re
looking for a clear examination of forces at work within and around the organization. Does this
sound broad and a little vague? It is. Thankfully the standard provides some guidance, saying
that context must include internal and external issues that are relevant to your organizations’
purpose, strategy, and goals of the QMS. Many organizations will probably use SWOT analysis
(strengths, weaknesses, opportunities, and threats) to help get their arms around context, but it’s
not a requirement. What the organization learns with this will be a key input to risk analysis.
(NOTE: Not everybody will understand the term ‘context.’ Be prepared to discuss the concept
and describe what ISO 9001:2015 is asking for.)

2. Who are your interested parties and what are their requirements? The natural follow-up
to context is interested parties, found in section 4.2. The term "interested parties" has a bizarre,
stalker-like ring to it, so smart auditors might want to replace it with "stakeholders." Remember,
effective auditors try to translate the arcane language of ISO 9001:2015 into understandable
terms that auditees can grasp. Typical interested parties are employees, customers, supplier,
business owners, debt holders, neighbors, and regulators. As an auditor you’re making sure that a
reasonable range of interested parties has been identified, along with their corresponding
requirements. The best way to audit this is as an exploratory discussion. Ask questions about the
interested parties, and probe what they’re interested in. If you’ve done some preparation in
advance of the audit, then you’ll know whether their examination of interested parties is
adequate. That brings up an important planning issue: You will have to do a bit more preparation
before an ISO 9001:2015 audit. Why? So you’ll have a grasp of context and interested parties.
How can you evaluate their responses if you don’t know what the responses should be?

3. What risks and opportunities have been identified, and what are you doing about
them? Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No
fewer than 13 other clauses refer directly to risks and opportunities, making them the most
“connected” section of the standard. If an organization does a poor job of identifying risks and
opportunities, then the QMS cannot be effective, period. Auditors should verify that risks and
opportunities include issues that focus on desired outcomes, prevent problems, and drive
improvement. Once risks and opportunities are identified, actions must be planned to address
them. ISO 9001:2015 does not specifically mention prioritizing risks and opportunities, though it
would be wise for organizations to do this. Risks and opportunities are limitless, but resources
are not.

4. What plans have been put in place to achieve quality objectives? Measurable quality
objectives have long been a part of ISO 9001. What is new is the requirement to plan actions to
make them happen. The plans are intended to be specific and actionable, addressing actions,
resources, responsibilities, timeframes, and evaluation of results. Auditors should closely
examine how the plans have been implemented throughout the organization, and who has
knowledge of them. Just as employees should be aware of how they contribute to objectives,
they should be familiar with the action plans.

5. How has the QMS been integrated into the organization’s business processes? In other
words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of
top management (see section 5.1.1c) and is a very revealing question. The point is that ISO 9001
is moving away from being a quality management system standard and becoming a strategic
management system. It’s not just about making sure products or services meet requirements
anymore. The standard is about managing every aspect of the business. Remember sections 4.1
and 4.2 of ISO 9001:2015? There we examined the key topics of context and interested parties.
These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is
intended to be used. Top management should be able to describe how the QMS is used to run the
company, not just pass an audit.

6. How do you manage change? This topic comes up multiple times in ISO 9001:2015. The
first and biggest clause on the topic comes up in section 6.3. Here we identify changes that we
know are coming, and develop plan for their implementation. What kind of changes? Nearly
anything, but the following changes come to mind as candidates: new or modified products,
processes, equipment, tools, employees, regulations. The list is endless. An auditor should
review changes that took place, and seek evidence that the change was identified and planned
proactively. Change that happens in a less planned manner is addressed in section 8.5.6. Here the
auditor will seek records that the changes met requirements, the results of reviewing changes,
who authorized them, and subsequent actions that were necessary.
7. How do you capture and use knowledge? ISO 9001:2015 wants organizations to learn from
their experiences, both good and bad. This could be handled by a variety of means: project
debriefs, job close-outs, staff meetings, customer reviews, examination of data, customer
feedback. How the organization captures knowledge is up to them, but the process should be
clear and functional. The knowledge should also be maintained and accessible. This almost
sounds like it will be “documented” in some way, doesn’t it? That’s exactly right. One way to
audit this would be to inquire about recent failures or successes. How did the organization learn
from these events in a way that will help make them more successful? It’s the conversion of raw
information to true knowledge, and it just happens to be one of the most difficult things an
organization can achieve.

These are by no means the only questions you’ll want to ask. They’re just the starting point. We
didn’t even mention management review, corrective action, or improvement—all of which are
crucial to an effective QMS.  The seven topics discussed here are the biggest new requirements
that auditors will need to probe. I would be very interested in hearing from you on this subject.
What audit questions do you see as critical in ISO 9001:2015?

Dumb Things I’ve Heard Auditors Say

 Published on November 6, 2015
Craig Cochran

International quality expert and consultant

13 articles Follow

Being a third-party auditor is challenging. You’re walking into somebody else’s company, trying
to make sense of processes that you may have never seen before. The atmosphere is often tense,
and you never have enough time to do the kind of job you’d like to. Then you jump into your car
and roar off to the next job. So third-party auditors can be forgiven for saying dumb things every
now and then. Here are some of the best “humdingers” I’ve heard auditors utter:

“You need to get a better grasp of ISO 9001 terminology.” Does anybody in the
world think ISO 9001 terminology is simpler than their own wording?  If so, I pity that
organization. The organization uses whatever terminology it deems fit, and sometimes this has
little connection to the vernacular of ISO 9001. It’s the auditor’s job to adapt to the local
terminology, not the other way around. Part of the auditor’s preparation for the audit should
include getting up to speed on the organization’s terms, definitions, and vocabulary. The old saw,
“When in Rome, do as the Romans do,” applies very well to the audit process.

“Six months is way too long for any corrective action to remain
open.” Ideally, corrective actions are opened, investigated, acted on, and closed as quickly as
possible. There’s no benefit to stretching out the process. Implement the improvement and move
on to the next opportunity. In the real world, however, corrective actions can take a lot longer.
Depending on the nature of the improvement, the corrective action could involve construction,
acquisition of capital equipment, culture change, or development of new processes and products.
In all of these cases, it could take many months to fully implement the action. The corrective
action remains open during this time, but the organization updates the status and can demonstrate
forward progress. So you always have to consider the nature of the corrective action when you
evaluate how long it has been open. 

“I won't write you up this time, but if the issue isn’t fixed the next time I'll
write a major nonconformity.” This suggests that the auditor is a godlike, benevolent
creature who can ignore or escalate issues at their whim. That’s not really the way an audit
works, though. An audit is a factual and balanced evaluation of the organization. Failing to
identify nonconformities helps nobody. The auditor should simply report what they find, positive
or negative. If the finding happens to be a nonconformity, it should be used an opportunity to
improve the process, not as a police citation that can be avoided if you promise to do better.

“If you fix these non-conformities before the closing meeting, I won't put
them in the audit report.” How effective are fixes that are implemented in a hurry? Not
very effective. In fact, they tend to be very narrow and superficial actions that are mainly focused
on problem symptoms. When auditors say they won’t make an issue an official nonconformity if
you “fix” it in a hurry, they’re really just encouraging the worst kind of corrective action: the
band aid. When taking corrective action on audit findings, organizations should take a step
backward and take a fresh look at the process. Part of this is identifying the full range of possible
causes that exist throughout the process, from start to finish, and thinking about where else the
nonconformity might exist. This is impossible to do in a bug rush before the closing meeting of
an audit.

 “You should separate your ISO 9001 management review from your
leadership team meeting. It's hard for me to see the required inputs and
outputs in these records.” In other words, you should do everything possible to make it
easier to audit. Never mind what makes sense for your own organization. The cruel reality of
auditing is that it’s challenging. Auditors have to seek out the evidence and ask the right
questions, and facts are rarely served up in a neat little package. In cases where the audit
evidence is pre-packaged for the convenience of the auditor, it should be suspected as possibly
manufactured. Organizations must design their quality management systems in a way that helps
them improve. Yes, you may have to eventually pass an audit, but that’s not the primary
objective, despite the way everybody acts. A good auditor will see much more virtue in a system
that drives long term improvement, versus a system that’s just easy to audit.

Records in ISO 9001:2015

 Published on October 20, 2015
Craig Cochran

International quality expert and consultant

13 articles Follow

ISO 9001:2015 does a lot of things right, but using clear language is not one of them. One of the
most glaring examples is the transformation of the word “records” into “retained documented
information.” That’s right, they took one word and turned it into three. And the three words are
not nearly as intuitive as the one word they replaced. Regardless of what you call them, records
are the proof of something happening. They are historical, referring to past events. As such, they
are not revised. Records might be “corrected” in some cases, but they are never revised. Only
documents are revised. (We’ll address documents and their status in ISO 9001:2015 in a future
article.) The primary control of records is that of housekeeping: knowing where they are stored,
who is responsible, how long they’re kept, etc.
 Here is a summary of records requirements in ISO 9001:2015:  

 24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO
9001:2008. Some of the 24 records required by ISO 9001:2015 are actually repeat
requirements.
 20% of all the record requirements come from section 8.3, Design and development of
products and services. That amounts to 5 records, which is the same number required by
ISO 9001:2008.
 A completely new record that is required in 9001:2015 is retained information on
changes: review of changes, persons authorizing the change, and necessary actions
arising from change (section 8.5.6)
 ISO 9001 continues its redundant ways. ISO 9001:2015 requires records of evidence of
processes being carried out effectively TWICE, once in section 4.4.2 and again in section
8.1.e.1.
 More redundancy: ISO 9001:2015 requires records that demonstrate conformity of
products & services processes TWICE, once in section 8.1.e.2 and again in section 8.6.
 5 of the records in ISO 9001:2015 have qualifiers. They are “to the extent necessary” and
“as applicable.”
 One item listed as “retained documented information” (i.e., record) is actually a
document. That is design outputs. Design outputs are living information such as
specifications, engineering drawings, recipes, formulas, and bills of material. Since they
are living, they are subject to revision, meaning they are documents.
 A handful of requirements would be virtually impossible to have evidence of without
records, and yet records are not required by ISO 9001:2015. These include context of the
organization (4.1), interested parties (4.2), planning of changes (6.3), and customer
feedback (9.1.2).
 One of the strangest record issues of all is the omission of calibration records in ISO
9001:2015. This has been replaced by the requirement to ‘retain information on fitness of
purpose for measuring instruments,’ which would include calibration, among other
possible activities. I expect many people implementing ISO 9001:2015 will get a bit
confused by this.   
 Do not let anyone tell you that the “correct” terminology is retained documented information. If
you like that term, then by all means use it. If you prefer the term ‘records,’ you can use that in
its place. Always remember that documents and records are two different things. That one fact
alone will make any QMS easier to use and understand.

Organizational knowledge and ISO

9001:2015
 Published on September 14, 2015
Craig Cochran

International quality expert and consultant

13 articles Follow

One of the more unusual new requirements in ISO 9001:2015 is the one for organizational
knowledge. It basically says that your company will determine the knowledge necessary for
running its processes and producing conforming products. Could you even be in business and
NOT have this sort of knowledge? No. So, at first blush this seems like one of those meaningless
requirements that companies and auditors just gloss over. The notes at the bottom of that section
(7.1.6) provide valuable context, though. The notes state that knowledge is gained through
experience, and they go on to give some examples of how knowledge is obtained: lessons
learned, failures, successes, sharing of knowledge, improvements. Now you start to get the
picture. This so-called organizational knowledge is always a work-in-progress. You’re
continually building it on a day to day basis, as you hit home runs….and strike out with the bases
loaded. ISO 9001:2015 also says that this knowledge will be maintained. That means kept up to
date and made accessible. Far from a meaningless requirement, you now see an important
process for continual improvement.

ISO 9001:2015: The questions you may be

asked in an audit.
 

So your organisation has invested time, resources and money

to implement ISO 9001:2015 and you now feel that you are ready to
achieve certification. However, there is one more step to prepare for,
and that’s your audit.

Yes the audit will test your organisation and you can only hope that all
your hard work preparing for this day will result in success. What are
some of the questions you might be asked and can you prepare for
them? Yes and CG Business Consulting Ltd is here to outline some of
the questions that you will be asked to ensure that you understand
what’s expected of you.

Your audit day is here and the questions begin!

Can you tell us about the context of your organisation?

This is generally a question directed at senior management.  Your

auditor will be looking for you to include the internal and external
issues that are relevant to your organisation’s purpose, strategy, and
the goals of your Quality Management System in your answer.

 
Who are the interested parties in your organisation?
This can appear to be a broad question, but you will be required to
know this information and provide it to your auditor. Interested parties
pertains to internal and external people that are relevant to your
Quality Management System. Examples are employees, customers,
suppliers and regulators.

What are their requirements?

This can be described as part two of the previous question, as even-

though you know who your interested parties are, you will also need to
know what their corresponding requirements are. Careful planning is
required here to understand the individual requirements of each party
and evidence will need to be provided in your audit.

Have risks and opportunities been identified and how are you
addressing them?

This is one of the major clauses in ISO 9001:2015 and it would be

safe to say it is one of the most important. Your auditor will ask you to
provide evidence that you have carried out an assessment of all the
risks and opportunities that may affect your Quality Management
System and the plans you have in place to manage them.

What plans have been put in place to achieve your Quality

Management System objectives?

Your auditor will need to determine what plans you have put in place
to make it all happen. So if you can show that you are taking the
SMART (Specific, Measureable, Actionable, Realistic and Time-
Based) approach and show how you are implementing the plans
throughout the organisation, this is a great place to start. You should
also provide evidence that your employees are aware of how they can
contribute to the objectives and that they are familiar with the action
plans.
 

How will your Quality Management System be integrated in to

your business processes?

With this question, your auditor is simply looking to define how you will
use your ISO 9001:2015 Quality Management System to operate your
business. Again, this question will be directed at Senior Management
as it places an emphasis on how the business will be run and what
plans are in place for continual improvement as part of the business
strategy.

How will your organisation manage change?

This is a very important question as change will always come into an

organisation and you need to be prepared to address it.  You will need
to have identified changes that need to be made and provide evidence
on how you will manage these changes. Some of the changes may
include, changes to employees roles, products, suppliers and changes
in customer requirements.

Your auditor will seek evidence on how you are planning to manage
these changes and that they will meet the requirements for ISO
9001:2015.

So will you be able to answer the above questions and more in your
audit. Let Cg Business Consulting Ltd help you. We have provided
you with our FREE ISO 9001:2015 Transition Guide.  If you require
any further assistance please feel free to contact us and we will get
you ready.
ISO 9001 Internal Audit
Sample Questions
Internal Audits are not only required but are one of the best ways to help your company meet
the ISO 9001:2015 requirements, and become certified to the standard. We provide not only
sample questions, but also training material to help your employees become successful auditors.
Take our ISO 9001:2015 Online Internal Auditor Training, and check out our ISO 9001:2015
Internal Auditor Training Materials to become Exemplar Global Compliant. Receive
a Certificate of Attainment by taking a ISO 9001 Internal Auditor Training Courses. We are here
to help provide you with the information, and training for your company to become certified to
ISO 9001:2015. 
 
General Requirements
 Where are the processes needed for the quality management system
identified?
 Have the sequence and interaction of the processes been determined?
 What criteria and methods will be used for operation and control of the
processes?
Management
 Where are the processes needed for the quality management system
identified?
 Have the sequence and interaction of the processes been determined?
 What criteria and methods will be used for operation and control of the
processes?
 How does management ensure that customer needs and expectations are
determined, converted into requirements and fulfilled?
 Does this include customer obligations related to the product-including
regulatory?
 Does the quality policy include a commitment to continual improvement?
 Does it provide a framework for establishing and reviewing objectives?
 Do the quality objectives include a commitment to continual improvement?
  Do quality objectives include those needed to meet requirements for product?
 How does the management rep promote customer awareness?
 Does the quality manual include a description of the sequence and interaction
of the processes included in the quality management system?
 Does Management Review consider changes that could affect the quality
system?
 Are there records of the output of management review? Do they include:
actions to improve the quality system and its processes
improvement of product related to customer requirements
Resources
 Can the organization demonstrate that resources are provided to address
customer satisfaction?
 Are they provided in a timely manner?
Human Resources
 Has the organization evaluated the effectiveness of training provided?
 Has the organization ensured that its employees are aware of the relevance
and importance of their activities and how they contribute to achievement of
the quality objectives?
Planning
 Has the organization planned for realization of product?
 Does it include product quality objectives?
 Does it include the need to establish processes and documentation, provide
resources and facilities specific to the product?
 Does the plan for measurement and monitoring to ensure conformity and
achieve improvement identify the need for and use of statistics?
Customer Requirements
Does the identification of customer requirements include product requirements
not specified by the customer, but necessary for the intended or specified use
obligations related to product, including regulatory and legal requirements
Review of product requirements
Does the organization confirm customer requirements when the customer does
not provide a documented statement of requirement?
Customer Communication
Has the organization identified and implemented arrangements for communication
with customers relating to:
 product information inquiries
 contracts or order handling including amendments
 customer feedback including complaints
Purchasing Control
How has the organization determined the extent of control of purchasing
processes?
Is it dependent on the effect on subsequent realization processes and their output?
Customer Property
Has the organization applied the care of customer supplied property to intellectual
property?
Preservation of Product
Has the organization validated any process where resulting output cannot be
verified?
Does verification include:
 qualification of process
 qualification of equipment and personnel use of defined methodologies and
procedures requirements
 for records revalidation
Customer Satisfaction
 Is the organization monitoring information on customer satisfaction and
dissatisfaction?
 Where are the methodologies for obtaining and using this information
defined?
 Has the organization analyzed appropriate data to determine:
 suitability and effectiveness of the quality management system
 actions to improve the quality system and its processes
 improvement of product related to customer requirements