Requirements and Guidance

for

Internal Audits
Learning from
Industry Sources

Whittington & Associates, LLC

636 Gunby Road, Marietta, GA 30067
www.WhittingtonAssociates.com
800-404-7585 or 770-955-7585

QAD 2006

2005 Whittington & Associates, LLC

Slide 1

Audit References
REQUIREMENTS

(No additional audit requirements in TL 9000:2001 or ISO 13485:2003)

ISO 9001:2000

Quality Management Systems (QMS) - Requirements

AS9100B:2004

Quality Systems - Aerospace - Requirements

ISO/TS 16949: 2002

QMS - Automotive Suppliers - Requirements for the Application of ISO 9001:2000

ISO 14001: 2004

Environmental Management Systems (EMS) - Requirements with Guidance for Use

GUIDANCE

(No additional audit guidance in AS9106:2003)

ISO 9004:2000

Quality Management Systems - Guidelines for Performance Improvement

ISO/TS 16949:2002

Implementation Guide

ISO 14004: 2004

EMS - General Guidelines on Principles, Systems, and Supporting Techniques

ISO 90003:2004

Guidelines for the Application of ISO 9001:2000 to Computer Software

ISO 19011: 2002

Guidelines for Quality and/or Environmental Management Systems Auditing

QE19011S: 2004

Guidelines for QMS and/or EMS Auditing: US Version with Supplemental Guidance

WWW.ISO.ORG

ISO 9001:2000 Interpretations Service

WWW.ISO.ORG

ISO 9001:2000 Auditing Kit

Speaker Handout

Audit Worksheet (Turtle Diagram) from Whittington & Associates

Speaker Handout

Audit Quick Reference from Whittington & Associates, LLC

QAD 2006

2005 Whittington & Associates, LLC

Slide 2

Audit Definition
Systematic, independent, and documented

process for obtaining audit evidence and

evaluating it objectively to determine the
extent to which agreed criteria are fulfilled.
ISO 9000:2000 - Clause 3.9.1
Fundamentals and Vocabulary

QAD 2006

2005 Whittington & Associates, LLC

Slide 3

Requirements - ISO 9001:2000

Clause 8.2.2
Documented procedure for internal audits
Verification of conformity and effectiveness
Planned on status; importance; prior audits
Auditors selected for impartiality; objectivity
Results reported and records maintained
Corrective action taken without undue delay
Follow-up audit to verify corrective action
QAD 2006

2005 Whittington & Associates, LLC

Slide 4

Audit Guidance - ISO 9004:2000

Clause 8.2.1.3:
Establish

effective and efficient internal audits

Assess strengths and weaknesses of the QMS
Use as management tool for independent view
Obtain objective evidence that requirements met
Judge effectiveness and efficiency of
organization

QAD 2006

2005 Whittington & Associates, LLC

Slide 5

Audit Guidance - ISO 9004:2000

Clause 8.2.1.3:
Ensure

improvement actions are taken on results

Establish flexible audit plans for internal audits
Permit changes in emphasis based on evidence
Develop plans with input from areas to be audited
Consider planning input from interested parties

QAD 2006

2005 Whittington & Associates, LLC

Slide 6

Audit Subjects - ISO 9004:2000

Clause 8.2.1.3:
Effective

and efficient process implementation

Opportunities for continual improvement
Capability of processes
Effective and efficient use of statistical techniques
Use of information technology
Analysis of quality cost data
Effective and efficient use of resources
Process and product performance results
QAD 2006

2005 Whittington & Associates, LLC

Slide 7

Audit Subjects - ISO 9004:2000

Clause 8.2.1.3:
Performance

measurements:

Adequacy
Accuracy
Improvement

activities
Relationships with interested parties
Internal Audit Reporting:
Share evidence of excellent performance
Provide opportunities for recognition
Motivate people
QAD 2006

2005 Whittington & Associates, LLC

Slide 8

Requirements - AS9100B:2004
Develop detailed audit tools and techniques, e.g.,
Checksheets,
Process

flowcharts, or
Similar methods

to support audits of the QMS requirements.

Measure acceptability of audit tools against:
Effectiveness

of internal audit process

Performance of overall organization

Assess contract and/or regulatory requirements.

QAD 2006

2005 Whittington & Associates, LLC

Slide 9

Requirements - ISO/TS 16949

8.2.2.1 Quality Management System Audit

Audit the QMS to verify compliance with ISO/TS 16949 and

any additional quality management system requirements.

8.2.2.2 Manufacturing Process Audit

Audit the effectiveness of each manufacturing process.

8.2.2.3 Product Audit

Audit products at appropriate stages of production and

delivery to verify conformance to all specified requirements,
such as product dimensions, functionality, packaging, and
labeling at a defined frequency.

QAD 2006

2005 Whittington & Associates, LLC

Slide 10

Requirements - ISO/TS 16949

8.2.2.4 Internal Audit Plans
Cover all quality management related processes,
activities, and shifts
Schedule according to an annual plan.
Increase audit frequency when internal or external
nonconformities or customer complaints occur
(Note: Specific checklists should be used for each audit)

8.2.2.5 Internal Auditor Qualification

Use internal auditors who are qualified to audit the

requirements of ISO/TS 16949

QAD 2006

2005 Whittington & Associates, LLC

Slide 11

Guidance - ISO/TS 16949:2002

(ISO/TS 16949 Implementation Guide)

Quality Management System Audit

Use the process approach to monitor natural work flow

Manufacturing Process Audit

Focus on a process within quality management system

Product Audit
Focus on the product characteristics
Verify product requirements are met

Use Turtle Diagram to analyze an audited process.

(See Handout: Audit Worksheet)
QAD 2006

2005 Whittington & Associates, LLC

Slide 12

Turtle Diagram - ISO/TS 16949

INPUT
Receive
What?

QAD 2006

Resources

Resources

What?

Who?

R
E
Q
U
I
R
E
M
E
N
T
S

PROCESS

R
E
Q
U
I
R
E
M
E
N
T
S

Methods

Measures

How Done?

What Results?
2005 Whittington & Associates, LLC

OUTPUT
Deliver
what?

Slide 13

Requirements - ISO 14001:2004

Clause 4.5.5 is similar to ISO 9001:2000, except:
ISO 9001:2000
Organization must conduct internal audits.

ISO 14001:2004
Organization must ensure they are conducted.

ISO 9001:2000
Determine if QMS has been effectively implemented.

ISO 14001:2004
Determine if EMS has been properly implemented.
QAD 2006

2005 Whittington & Associates, LLC

Slide 14

Requirements - ISO 14001:2004

Missing direct coverage of these ISO 9001:2000 requirements:
ISO 9001:2000 - Management responsible for area being
audited must ensure actions are taken without undue delay
to eliminate detected nonconformities and their causes.
ISO 14001:2004 - Not included.
ISO 9001:2000 - Follow-up activities must include verification
of actions taken and the reporting of verification results.
ISO 14001:2004 - Not included.
Addressed indirectly by ISO 14001:2004, clause 4.5.3, on
Nonconformity, Corrective Action, and Preventive Action.
QAD 2006

2005 Whittington & Associates, LLC

Slide 15

Audit Guidance - ISO 14001:2004

Guidance on Use from Annex A.5.5

Perform internal audits by personnel from within

the organization or by external persons selected
by the organization, working on its behalf

Ensure persons conducting audit are competent

and in position to do so impartially and objectively

Demonstrate auditor independence in smaller

organizations by the auditor being free from
responsibility for the activity being audited

QAD 2006

2005 Whittington & Associates, LLC

Slide 16

Audit Guidance - ISO 14004:2004

Perform internal audits to identify opportunities for

improvement in environmental system

Establish an audit program to direct the planning

and conduct of audits and identify the audits
needed to meet the program's objectives

Base program on the nature of operations, in terms

of its environmental aspects and potential impacts,
the results of past audits, and other relevant factors

QAD 2006

2005 Whittington & Associates, LLC

Slide 17

Audit Guidance - ISO 14004:2004

Each internal audit need not cover entire system,

so long as audit program ensures all organizational
units and functions, system elements, and full
scope of the EMS are audited periodically

Plan and conduct audits by objective and impartial

auditors, aided by technical experts, as
appropriate, selected from within organization or
from external sources

QAD 2006

2005 Whittington & Associates, LLC

Slide 18

Audit Guidance - ISO 14004:2004

Collective competence of auditors should be

sufficient to meet objectives and scope of the
particular audit and provide confidence as to the
degree of reliability that can be placed on results

Results of an internal EMS audit can be provided

in the form of a report and used to:
Correct or prevent specific nonconformities
Fulfill one or more objectives of the audit program
Provide input to the management review

QAD 2006

2005 Whittington & Associates, LLC

Slide 19

Audit Guidance - ISO 90003:2004

When software organizations separate their work
into projects, internal audit planning should:
Define a selection of projects
Cover all stages and all processes
Assess compliance of project quality plan to
QMS
Assess project compliance to project quality plan

QAD 2006

2005 Whittington & Associates, LLC

Slide 20

Audit Guidance - ISO 90003:2004

Audit

various projects at different stages of

product development life cycle, or
Audit a single project as it progresses
through various stages.
If intended project changes its timescale,
review internal audit schedule to:
1. Change timing of the audit, or
2. Consider a different project.
QAD 2006

2005 Whittington & Associates, LLC

Slide 21

Audit Guidance - ISO 19011:2002

Guidelines for QMS and EMS Auditing
Understanding principles of auditing
Identifying needed auditor competence
Selecting audit teams
Conducting internal and external audits
Managing audit programs
Evaluating auditor performance
QAD 2006

2005 Whittington & Associates, LLC

Slide 22

Audit Activities - ISO 19011:2002

1. Initiation Define audit objectives.
2. Review
Examine the documents.
3. PreparationPlan for onsite activities.
4. Execution Audit the quality system.
5. Reporting Report the audit results.
6. Completion
Complete the audit plan.
7. Follow-Up Conduct follow-up audit.
(See Handout: Audit Quick Reference)
QAD 2006

2005 Whittington & Associates, LLC

Slide 23

Audit Guidance - QE19011S:2004

ISO

19011 provides guidance and examples

US decided additional guidance was needed
Published ANSI/ISO/ASQ QE19011S:2004
QE19011S includes ISO 19011 guidance
QE19011S adds guidance and examples for:
First-party (internal) audits
Second-party (external) audits
Small organizations
QAD 2006

2005 Whittington & Associates, LLC

Slide 24

Audit Guidance - QE19011S:2004

6.5.7 Conducting a Closing Meeting
(Verbatim ISO 19011:2002 Text)

S6.5.7.1 First Party Audits

May need only auditor and managers of audited areas.

S6.5.7.2 Second Party Audits

Should include suppliers management team and personnel
that will address the audit findings.

S6.5.7.3 Use by Small Organizations

Auditor may be most qualified to provide recommendations
for correcting nonconformities.
QAD 2006

2005 Whittington & Associates, LLC

Slide 25

ISO 9001:2000 Interpretations

Go to: http://www.tc176.org/interpre.asp
Request: (RFI-036 for Clause 8.2.2)
Clause 8.2.2: An audit program shall be planned, taking into consideration the
status and importance of the processes and areas to be audited, ....
Is it a requirement of this clause that the criteria to determine the status and the
importance of the processes and areas to be audited have to be documented?

Background:
There is divergence with the auditor regarding a requirement for documentation
of status and importance criteria despite the fact that evidence was provided
that the planning of the audit program has taken the status and importance of
the processes and areas to be audited into consideration.

Interpretation: No.
QAD 2006

2005 Whittington & Associates, LLC

Slide 26

ISO 9001:2000 Auditing Kit

http://www.iso.org/tc176/ISO9001AuditingPracticesGroup

The need for a 2-stage approach to auditing

Measuring QMS effectiveness and improvements
Identification of processes
Understanding the process approach
Determination of the where appropriate processes
Auditing the where appropriate requirements
Demonstrating conformity to the standard
Linking audit of a task, activity or process to overall system
Auditing continual improvement
Auditing a QMS which has minimum documentation

QAD 2006

2005 Whittington & Associates, LLC

Slide 27

ISO 9001:2000 Auditing Kit

How to audit top management processes

The role and value of the audit checklist
Scope of ISO 9001, QMS, and certification
How to add value during the audit process
Auditing competence and effectiveness of actions taken
Auditing statutory and regulatory requirements
Auditing the quality policy and quality objectives
Auditing 7.6 Control of monitoring and measuring devices
Making effective use of ISO 19011
Auditing customer feedback processes

QAD 2006

2005 Whittington & Associates, LLC

Slide 28

ISO 9001:2000 Auditing Kit

Documenting a nonconformity
Guidance for reviewing and closing nonconformities
Auditing internal communications
Auditing preventive action
Auditing service organizations
Third party auditor impartiality and conflict of interest
Auditing the effectiveness of the internal audit
Auditing electronic-based management systems
Auditing the management of resources
Auditing customer communications

QAD 2006

2005 Whittington & Associates, LLC

Slide 29

Remaining Questions?
Audit Requirements?

Audit Guidance?

ISO 9001:2000
AS9100B:2004
ISO/TS 16949:2002
ISO 14001:2004

Handouts?

ISO 9004:2000
ISO/TS 16949 Guide
ISO 14004:2004
ISO 90003:2004
ISO 19011:2002

Audit Worksheet

QE19011S:2004

Audit Quick Reference

www.iso.org

QAD 2006

2005 Whittington & Associates, LLC

Slide 30