Skip to content
Enquire
All posts

QMS Lead Auditor (ISO9001:2015)

Picture of SQMC Technical Faculty   SQMC Technical Faculty  ·  55 minute read

Reference Manual for SQMC Students

PR-328 Version 1 (2019) Revision A (2025).

 

CQI IRCA Certified Course no background

Thank you for joining this week-long, advanced auditing course at the Scottish Quality Management Centre!

Our training is recognised globally and accredited by the Chartered Quality Institute and the International Register of Certificated Auditors, under the ‘PR-328’ scheme.

This Technical Reference Manual is based on the internationally recognised best-practice guidance for auditing management systems, ISO 19011:2018, and on the accumulated knowledge, experience, and teaching legacy of Mr Ian W. Hannah, FCQI, SrMASQ; founder of the Scottish Quality Management Centre.

This content herein is made freely available for SQMC-trained auditors and Quality Professionals to refer to repeatedly throughout their careers. 

 

 

Table of Contents

 

Section One

Section Two

Section Three

Section Four

 

Introduction & Learning objectives

The training course this manual accompanies provides participants with the following knowledge and skills:

Knowledge

To explain the purpose…

  1. of a Quality Management System;
  2. of Quality Management Systems standards;
  3. of management system audit;
  4. of third-party certification;
  5. of the business benefits from improved performance of the Quality Management System.

Moreover, you should be able to explain the role and responsibilities of an auditor to plan, conduct, report and follow-up a Quality Management System audit in accordance with the international standards ISO 19011 and ISO/IEC 17021, as applicable.

Skills

As well as explaining the theory behind it, you should gain the skills and confidence to go ahead an plan, conduct, report and follow-up an audit of a Quality Management System; in order to establish conformity (or otherwise) with the key Quality standard, ISO 9001; and in accordance with ISO 19011 and ISO/IEC 17021, as applicable.

The format of the course

SQMC Lead Auditor courses are tutor-led, using a variety of learning methods, accelerated learning techniques, multimedia and student interactivity. We hope you’ll find participation on the course undaunting and enjoyable, and we encourage your questions – providing ample opportunities to do so throughout.

The final exam

In addition to the Learning Objectives, the Lead Auditor course has an aim to prepare you to sit the CQI & IRCA’s 1 hour 45 minute, open book, online exam.

Supporting documents and training materials

A copy of the training slides can be provided to our students on request, with space for note-taking. These are designed to correspond logically with this Reference Manual, ordered by day. However, much of the information held in this Manual goes into extensive technical depth, and is intended more to be a tool for your future reference, rather than read in its entirety in the classroom.

SQMC purchased licences for you to own one copy of ISO 9000:2015, ISO 9001:2015 and ISO 19,011:2018, and have given them to you on the course. You are permitted to access to them during the final exam, and IRCA recommend having a copy of ISO 9001:2015 to reference during the exam.

 

Back to top ↑
 
 

 

Background information for topics covered on Day One

 

Fundamental knowledge trainee Lead Auditor should already have

Before beginning this advanced training course, SQMC ask our students to take a short ‘prior knowledge test’, to check their knowledge of pre-requisites such as the ‘Plan—Do—Check—Act’ cycle; the Seven Management Principles; and the requirements of the latest ISO 9001 Standard. These essentials are made clear at the point of enrollment, however we recognise that many delegates are send on the course by third parties within their organisation!

 
 

Personal objectives and training preferences

We want you to get the most out of your time with us, so your tutor may also hand you a personal objectives sheet prior to the course commencing. We’re also keen to find out your training likes and dislikes, to help us to personalise the learning environment for you.

 
 

Your Auditor ‘SWOT Analysis’

Lastly, your tutor may ask you to analyse your own perceived strengths, weaknesses, opportunities and threats as someone embarking on a career in external auditing.

 

Table of Contents ↑
 

Getting started: ‘Quality Management System’ – the official definition

Clause 2.2.2 of ISO 9000 defines a QMS as follows:

“A QMS comprises activities by which the organization identifies its objectives and determines the processes and resources required to achieve desired results.

The QMS manages the interaction processes and resources required to provide value and realize results for relevant interested parties.

The QMS enables top management to optimise the use of resources considering the long and short term consequences of their decision.

A QMS provides the means to identify actions to address intended and unintended consequences in providing products and services.”

NB: The above snippet is taken from your licenced copy of ISO 9000:2015 – the complementary standard to ISO 9001 that outlines QMS Fundamentals and Vocabulary. Your tutor will explain more about this standard shortly…

 

Table of Contents ↑
 

The late W. Edwards Deming – a sage of the Quality world

 

 

William Edwards Deming (October 14, 1900 – December 20, 1993) was an American statistician, professor author, lecturer, and consultant. He is perhaps best known for his work in Japan. There, from 1950 onward, he taught top management how to improve design (and thus service), product quality, testing and sales (the last through global markets) through various methods, including the application of statistical methods.

Deming made a significant contribution to Japan's later reputation for innovative high-quality products and its economic power. He is regarded as having had more impact upon Japanese manufacturing and business than any other individual not of Japanese heritage. Despite being considered something of a hero in Japan, he was only just beginning to win widespread recognition in the U.S. at the time of his death.

 
 

Deming’s ‘Plan – Do – Check – Act’ (PDCA) cycle

 

 

PDCA is an iterative four-step problem-solving process typically used in business process improvement. It is also known as the Deming circle, Shewhart cycle, Deming cycle, Deming wheel, control circle or cycle, or plan–do–study–act (PDSA). Here’s how it works:

PLAN

Establish the objectives and processes necessary to deliver results in accordance with the expected output. By making the expected output the focus, it differs from other techniques in that the completeness and accuracy of the specification is also part of the improvement.

DO

Implement the new processes, often on a small scale if possible.

CHECK

Measure the new processes and compare the results against the expected results to ascertain any differences.

ACT

Analyse the differences to determine their cause. Each will be part of either one or more of the PDCA steps. Determine where to apply changes that will include improvement. When a pass through these 4 steps does not result in the need to improve, refine the scope to which PDCA is applied until there is a plan that involves improvement.

 

Table of Contents ↑
 

Quality System Documentation 

Two of the most important objectives in the revision of the ISO 9000 series of standards have been:

  1. to develop a simplified set of standards that will be equally applicable to small as well as medium and large organizations, and
  2. for the amount and detail of documentation required to be more relevant to the desired results of the organization’s process activities.

ISO 9001:2015 Quality management systems – Requirements has achieved these objectives, and the purpose of this additional guidance is to explain the intent of the new standard with specific regard to documented information.

ISO 9001:2015 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to determine the correct amount of documented information needed in order to demonstrate the effective planning, operation and control of its processes and the implementation and continual improvement of the effectiveness of its QMS.

It is stressed that ISO 9001 requires (and always has required) a “Documented quality management system”, and not a “system of documents”.

Although a specific format is not designated in ISO 9001, it is recommended that if a Quality Manual is desired, it be designed in two parts:

  1. The Quality Policy Manual that sets out the general quality policies, lists procedures, and general practices of the organisation.
  2. The Operational Procedures Manual which provides detailed instructions as to how each activity detailed in the policy manual is to be performed and by whom.

 
 

Note that written Quality Procedures are not a requirement of ISO 9001. However, they may be required by the organization for its own purposes.

 

What is documented information? (Definitions and references)

 

The term documented information was introduced as part of the common High Level Structure (HLS) and common terms for Management System Standards (MSS).

The definition of documented information can be found in ISO 9000 clause 3.8.6:

“documented information – information required to be controlled and maintained by an organization and the medium on which it is contained”

Documented information can be used to communicate a message, provide evidence of what was planned has actually been done, or knowledge sharing.

The following are some of the main objectives of an organization’s documented information independent of whether or not it has implemented a formal QMS:

 

a) Communication of Information

  • As a tool for information transmission and communication. The type and extent of the documented information will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.

b) Evidence of conformity

  • Provision of evidence that what was planned has actually been done.

c) Knowledge sharing

 

d) To disseminate and preserve the organization’s experiences.

 

A typical example would be a technical specification, which can be used as a base for design and development of a new product or service.

A list of commonly used terms and definitions relating to documented information is presented in para 3.6 of these Notes.

It must be stressed that, according to ISO 9001:2015 clause 7.5.3 Control of documented information requirements, documents may be in any form or type of medium, and the definition of “document” in ISO 9000:2015 clause 3.8.5 gives the following examples:

  • paper
  • magnetic
  • electronic or optical computer disc
  • photograph
  • master sample


Table of Contents ↑

 

ISO 9001:2015 Documentation Requirements

 

ISO 9001:2015 clause 4.4 Quality management systems and its processes requires an organization to “maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confident that the processes are being carried out as planned.”

Clause 7.5.1 General explains that the quality management system documentation shall include:

  1. documented information required by this International standard;
  2. documented information determined by the organization as being necessary for the effectiveness of the quality management system.

The note after this Clause makes it clear that the extent of the QMS documented information can differ from one organization to another due to the:

  1. size of organization and its type of activities, processes, products and services;
  2. complexity of processes and their interactions,
  3. competence of persons.

All the documented information that forms part of the QMS has to be controlled in accordance with clause 7.5 Documented information.

 

Guidance on Clause 7.5 of ISO 9001:2015 (from ISO/TC176/SC2)

 

The following comments are intended to assist users of ISO 9001:2015 in understanding the intent of the general documented information requirements of the International Standard. Documented information can refer to:

 

a) Documented information needed to be maintained by the organization for the purposes of establishing a QMS (high level transversal documents).

  • The scope of the quality management system (clause 4.3).
  • Documented information necessary to support the operation of processes (clause 4.4).
  • The quality policy (clause 5.).
  • The quality objectives (clause 6.2).
  • This documented information is subject to the requirements of clause 7.5.

b) Documented information maintained by the organization for the purpose of communicating the information necessary for the organization to operate (low level, specific documents).

 

See 4.4. Although ISO 9001:2015 does not specifically requires any of them, examples of documents that can add value to a QMS may include:

  • Organization charts
  • Process maps, process flow charts and/or process descriptions
  • Procedures
  • Work and/or test instructions
  • Specifications
  • Documents containing internal communications
  • Production schedules
  • Approved supplier lists
  • Test and inspection plans
  • Quality plans
  • Quality manuals
  • Strategic plans
  • Forms

Where it exists, all such documented information, is also subject to the requirements clause 7.5.

 

c) Documented information needed to be retained by the organization for the purpose of providing evidence of result achieved (records).

  • Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
  • Evidence of fitness for purpose of monitoring and measuring resources (clause 7.1.5.1).
  • Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 7.1.5.2).
  • Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
  • Results of the review and new requirements for the products and services (clause 8.2.3).
  • Records needed to demonstrate that design and development requirements have been met (clause 8.3.2).
  • Records on design and development inputs (clause 8.3.3).
  • Records of the activities of design and development controls (clause 8.3.4).
  • Records of design and development outputs (clause 8.3.5).
  • Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
  • Records of the evaluation, selection, monitoring of performance and re-evaluation of external providers and any and actions arising from these activities (clause 8.4.1).
  • Evidence of the unique identification of the outputs when traceability is a requirement (clause 8.5.2).
  • Records of property of the customer or external provider that is lost, damaged or otherwise found to be unsuitable for use and of its communication to the owner (clause 8.5.3).
  • Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken (clause 8.5.6).
  • Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s) (clause 8.6).
  • Records of nonconformities, the actions taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity (clause 8.7).
  • Results of the evaluation of the performance and the effectiveness of the QMS (clause 911).
  • Evidence of the implementation of the audit programme and the audit results (clause 9.2.2).
  • Evidence of the results of management reviews (clause 9.3.3).
  • Evidence of the nature of the nonconformities and any subsequent actions taken (clause 10.2.2).
  • Results of any corrective action (clause 10.2.2).

Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and services and quality management system. Where they exists, all such records are also subject to the requirements clause 7.5.

 

Table of Contents ↑

 

Demonstrating conformity with ISO 9001:2015 (from ISO/TC176/SC2)

  • For organizations wishing to demonstrate conformity with the requirements of ISO 9001:2015, for the purposes of certification/registration, contractual, or other reasons, it is important to remember the need to provide evidence of the effective implementation of the QMS.
  • Organizations may be able to demonstrate conformity without the need for extensive documented information
  • To claim conformity with ISO 9001:2015, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.3 of ISO 9000:2015 defines “objective evidence” as “data supporting the existence or verity of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.”
  • Objective evidence does not necessarily depend on the existence of documented information, except where specifically mentioned in ISO 9001:2015. In some cases, (for example, in clause 8.1 (e) Operational planning and control, it is up to the organization to determine what documented information is necessary in order to provide this objective evidence.
  • Where the organization has no specific documented information for a particular activity, and this is not required by the standard, it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2015. In these situations, both internal and external audits may use the text of ISO 9001:2015 for conformity assessment purposes.

Terms and Definitions Relating to Documents

The following sample of terms and definitions are taken from ISO 9000:2015:

  • Document : (3.8.5) information and the medium on which it is contained
  • Procedure: (3.4.5) specified way to carry out an activity or a process
  • Quality Manual: (3.8.8) specification for the quality management system of an organisation
  • Quality Plan: (3.8.9) specification of the procedures and associated resources to be applied when and by whom to a specific object
  • Record: (3.8.10) document stating results achieved or providing evidence of activities performed
  • Specification: (3.8.7) document stating requirements

Table of Contents ↑

 

Another two International Standards to be aware of are:

 

ISO 19,011 – Guidelines for auditing management systems

Now in its third edition (published in the summer of 2018), this is a ‘bible’ of audit best practice. All SQMC auditing courses are based upon the principles of this standard; and since it is therefore pivotal to your training this week, we are providing a licenced copy for you to refer to throughout, write on (if desired!) and take home to keep.

 
 

ISO 17,021-1 – Conformity assessment – Requirements for bodies providing audit and certification of management systems (Part 1: Requirements)

Government-approved Certification Bodies must adhere to the requirements of this standard. We touch on it at times during our Lead Auditor course.

 

Table of Contents ↑
 

There are three central categories of audit:

  1. First Party (or internal quality audits): these audits are normally carried out within an organisation, using its own staff, to give the management the assurance that their quality systems are operating effectively.
  2. Second Party (or supplier audits): these audits are normally carried out by the purchasing organisation to provide assurance that the supplier's quality systems are capable of providing, or sustaining, the delivery of suitable products or services.
  3. Third Party (or Certification audits: see also ISO17021-1:2015) these audits are carried out by independent agencies accredited by UKAS, and provide a purchaser with assurance on the effectiveness of a supplier's quality systems. They can also be done for legal, regulatory, and similar purposes.

 

Historical Background info:

For interest, the definition of QUALITY AUDIT, given in ISO 8402 (which was replaced by ISO 9000:2000; and then the “2005” version, and now the 2015 version), was as follows:

a “systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.”

It is now : ”audit : systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria) are fulfilled”

Although BS 7229 (1989) treated the terms "audit" and "assessment" as being the same and interchangeable, it should be noted that ISO 10,011:1991 made no mention of assessment, but industrial custom and practice does view ASSESSMENT as being slightly different, i.e.:

"An investigation of a potential supplier's quality systems, carried out before giving formal approval to the company."

In the 1994 version of BS EN ISO 9001 the term "assessment", in this context, was replaced by "evaluation". The “evaluation” was always:

  • pre-contract
  • related to a complete quality system
  • performed on an organisation outside the assessor's company

 
Table of Contents ↑
 

 

Background information for topics covered on Day Two

 

Accreditation and Certification Bodies

The National Accreditation Council for Certification Bodies (NACCB) was launched in June 1985. The Council assessed the work of certification bodies applying for accreditation which is granted by the Secretary of State for Trade and Industry.

The first accreditation certificate was awarded in 1986 and there are currently in excess of 70 certified bodies. Successful bodies receive an accreditation certificate and the right to display the National Accreditation Mark alongside their own certification mark.

In August 1995 UKAS commenced operations, taking over the work of both NACCB and NAMAS (National Measurement Accreditation Service). UKAS now provides a unified national accreditation service for laboratories performing tests and calibrating as well as bodies undertaking certification of products, personnel or systems (including environmental management and audit systems).

Accreditation is seen by the DTI as a key means of improving the quality and competitiveness of UK industry. It can be argued that it is now strongly perceived as a key to improving the quality of service providers, also!

 

 

The aims of UKAS accreditation are:

  • to enhance the status and authority of British certification bodies;
  • to develop quality assessment procedures which encourage the achievement of excellence;
  • to support the promotion of independent certification in the UK;
  • to foster the growth of internationally recognised accredited certification schemes;
  • to offer advice to the Government on certification.

Categories of certification which are eligible for accreditation:

  • Category 1 – Certification of Quality Management Systems (to ISO 9001:2015)
  • Category 2 – Product Conformity Certification
  • Category 3 – Certification of Personnel Engaged in Quality Verification.


Table of Contents ↑

 

Agreements or Arrangements with accreditation bodies in other countries

It is UKAS policy to negotiate agreements with other national accreditation bodies through the international and regional accreditation networks. These agreements recognise the equivalence of the accreditation granted in the countries concerned and are referred to as Multilateral Agreements or Arrangements.

Each signatory promises to:

  • accept the other Schemes operated by other signatories as equivalent to their own Scheme(s)
  • recognise on an equal basis with its own the certificates and/or reports from the organisations accredited by the Signatories under their Schemes.

The result of this recognition is that parties such as purchasers, regulators and insurers who might have insisted on results accredited by their own national accreditation system are influenced to accept results from other accredited sources.

This facilitates the international acceptance of goods traded across borders and supports intergovernmental trade agreements. It also enables accredited bodies to accept results from bodies accredited by any signatory member.

For example when evidence of competence and traceability of calibration or testing is required by an accreditation body, the laboratory may rely on accredited certificates from laboratories accredited by any of the signatories.

The Agreements have been reached as a result of a formal, detailed evaluation of each of the accreditation body's policies and procedures and the criteria used, and by observation of assessment and surveillance visits. These evaluations are performed by a team of experts in the relevant area of accreditation.

Mutual recognition agreements between countries that are not members of the EA and the EA MLA also operate on a bilateral basis. Each country is required to sign a contract of cooperation with EA and is evaluated in the manner as is the EA signatories.

There are now several International Accreditation Bodies, not just UKAS, and that these are members of the International Accreditation Forum (IAF) and each are subject to peer review for conformity with ISO 17011 (Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies).

 

Table of Contents ↑

 

What is the International Accreditation Forum, Inc.?

The International Accreditation Forum, Inc. (IAF) is the world association of Conformity Assessment Accreditation Bodies and other bodies interested in conformity assessment. Its primary function is to develop a world-wide program of conformity assessment which will promote the elimination of non tariff barriers to trade.

 

 

IAF membership includes accreditation bodies from nations in all parts of the world, industry representatives and accredited certification/registration bodies, in an international organisation which seeks to encourage development of a single world-wide system of mutual recognition of conformity assessment certificates.

IAF's objectives include facilitating trade and commerce, in accordance with World Trade Organisation policies, by establishing a Multilateral Mutual Recognition Agreement (MLA) based on the equivalence of accreditation programmes operated by accreditation body members, verified through peer review among those accreditation body members.

It works to find the most effective way of achieving a single system which allows companies with an accredited conformity assessment certificate in one part of the world to have that certificate recognised everywhere else in the world.

It aims to facilitate world trade by working to remove technical barriers that may flow from demands for specific certification and/or registration of management systems, products services, personnel and other programs of conformity assessment.

IAF promotes the international acceptance of accreditations granted by its MLA signatory accreditation body members, based on the equivalence of their accreditation programmes.

Accreditation is increasingly being used by regulators and the market as an impartial, independent and transparent means of assessing the competence of conformity assessment bodies.

IAF provides the technical basis for the world-wide recognition of the competence of the bodies accredited by its members, realising the concept "tested or certified once - accepted everywhere."

All members of IAF are committed to adopt policies and procedures in their own operations which facilitate trade, in conformity with the World Trade Organisation's Agreement on Technical Barriers to Trade.

Both accreditation body and certification / registration body members are committed to base their own conformity assessment procedures upon standards or guides developed by ISO/CASCO, and adopted in accordance with ISO/IEC rules.

Where members of IAF provide a conformity assessment service to meet market needs, but ISO/IEC standards or guides developed by ISO/CASCO, and adopted in accordance with ISO/IEC rules are not available for that service, the members commit themselves to ensure that the standards they use are developed in accordance with the principles in Articles 5 & 6 on Conformity Assessment (consensus driven open process) of the World Trade Organisation's Agreement on Technical Barriers to Trade.

The IAF Website: www.iaf.nu

 

Table of Contents ↑

 

Relationship between ISO/IEC 17021-1:2015 and ISO 19011

ISO 19011 is intended to provide useful guidance in:

Internal auditing External auditing
(commonly called
1st party audit)		 Supplier auditing
(commonly called
2nd party audit)		 3rd party auditing
(e.g. legal, certification and similar purposes)
    ISO/IEC 17021-1:2015
Conformity assessment-
Requirements for bodies providing audit and certification of management systems
 
 
 

Further Guidance for QMS Auditors: ISO 9001 Auditing Practices Group

The website of the ISO 9001 Auditing Practices Group will also be of interest to QMS Auditors.

The ISO 9001 Auditing Practices Group is constituted as an informal group of quality management system (QMS) experts, auditors and practitioners, drawn from the ISO Technical Committee 176 Quality Management and Quality Assurance (ISO/TC 176) and the International Accreditation Forum (IAF).

This website has been established as an on-line source of papers and presentations on auditing QMSs.

The ideas, examples and explanations given reflect the process-based approach that is essential for auditing the requirements of ISO 9001:2015 Quality Management Systems requirements.

The website is primarily aimed at QMS auditors, consultants and quality practitioners.

The papers and presentations that make up the content of this website are not definitive. They reflect a number of different views in QMS auditing. As such, their content may not always be consistent.

It is not intended that the website's content will be used as specified requirements, an industry benchmark, or as criteria that all QMS auditors, consultants or practitioners have to follow.

The items listed under "QMS auditing topics" have papers and presentations associated with them. Simply view and download the relevant document.

Feedback from users will be used by the ISO 9001 Auditing Practices Group to determine whether additional guidance documents should be developed, or if these current ones should be revised.

Comments on the papers or presentations can be sent to the following email address: charles.corrie@bsi-global.com.

ISO.org has a webpage for the (Google search phrase) “Accreditation Auditing Practices Group” which was established to provide guidance to accreditation auditors.

 

Table of Contents ↑
 

Auditor Registration and Qualifications

The Chartered Quality Institute (CQI)

The CQI is the professional institute for quality practitioners. It also provides the secretariat for the national registration scheme for auditors for Quality Management Systems.

Persons wishing to obtain the status of Auditor or Lead Auditor are required to attain specified criteria which are described in the IRCA publication Ref: IRCA 1000 entitled "Auditor Certification Requirements”.

The scheme is administered by the CQI and is controlled by an independent Governing Board. It is called – the “International Register of Certificated Auditors" (IRCA).

 

Scheme Aims

  • to recognise the achievement of competence in the auditing of ISO 9001:2015 Quality Management Systems
  • to help purchasers and regulatory bodies to accept audits carried out by Certified Auditors

 

Qualification and Experience for Auditors

CQI IRCA Certified Course no background

An auditor is a person who is qualified and is authorised to perform all or any part of a Quality System audit. A combination of skills, qualifications and experience is required.

Specifically an Auditor needs:

  • to be competent and familiar with ISO 9001:2015 series
  • to be able to communicate both in writing and orally
  • to function effectively as an audit team member
  • to observe the Code of Conduct

Criteria for registration are based on four elements:

  1. Education
  2. Work Experience
  3. Auditor Training
  4. Auditing Experience

Applicants shall satisfactorily comply with elements a), b), and c) to be eligible for any grade of certification.

Satisfying A, B, and C will only qualify the applicant for the grade of QMS Provisional Auditor.

Further auditing experience as detailed below, will qualify the applicant for QMS Auditor, or QMS Lead Auditor or QMS Principal Auditor grades.

‘Principal Auditor’ grade is mainly intended for Quality consultants who work on their own.

 

Table of Contents ↑
 

IRCA Code of Conduct

It is a condition of certification that you agree to act in accordance with, and be bound by, the following Code of Conduct:

  1. To act in a strictly trustworthy and unbiased manner in relation to both the organisation to which you are employed, contracted or otherwise formally engaged (the audit organisation), and any other organisation involved in an audit performed by you or by personnel under your direct control
  2. To disclose to your employer any relationships you may have with the organisation to be audited before undertaking any audit function in respect of that organisation
  3. Not to accept any inducement, gift, commission, discount or any other profit from the organisations audited, from their representatives or from any other interested person, or knowingly allow personnel for whom you are responsible to do so
  4. Not to disclose the findings, or any part of them, of the audit team for which you are responsible or of which you are part, or any other information gained in the course of the audit, to a third party, unless authorised in writing by both the auditee and the audit organisation to do so
  5. Not to act in any way prejudicial to the reputation or interest of the audit organisation
  6. Not to act in any way prejudicial to the reputation, interests or credibility of the IRCA
  7. In the event of any alleged breach of this code, to cooperate fully with any formal enquiry procedure.

Always check the CQI and IRCA website for the most up-to-date information – www.quality.org

 

Table of Contents ↑
 

 

In-depth reading for subjects covered on Day Three

Pre-Audit Activities

Overview

Let’s now consider the activities involved in preparing for an audit, concentrating on the informationgathering activities which are undertaken to facilitate audit programme planning.

Audit Programme Management and Planning

The sequence of activities involved in planning and preparing an audit are summarised below:

  • Contact the auditee organisation in order to obtain information about their activities;
  • Review the documented Quality Management System;
  • Conduct a pre- audit visit;
  • Define the objectives/scope/scale of the audit
  • Nominate the audit team;
  • Plan the audit programme;
  • Submit the programme to the auditee and confirm the date(s) of the audit;
  • Prepare audit documentation.

 

Table of Contents ↑
 

Obtaining Information

In order to plan an external audit, the auditors require a considerable amount of information about the company - its activities, organisation, policies and procedures.

The company's Quality Manual (if it has one), website and business brochures are the usual source of this information.

When making the initial approach to a company to arrange for an audit, the auditor should consider the possibility that the company Quality Manual may not contain all the information necessary for proper planning of the audit.

The auditor should therefore request all of the required “documented information”, in detail.

If the information required is not in the Quality Manual, the company will need to provide additional documentation.

The documents received, whatever they are called, should describe the Quality Management System for the intended scope of the audit.

If this information cannot be provided in documentary form, the Lead Auditor has the option to pay a preliminary visit to the company, in order to obtain information necessary for the planning of the audit.

 

Table of Contents ↑
 

Reviewing the Documented Quality Management System

It is a requirement of ISO 9001 that the company shall have documented its Quality Management System (QMS).

This documented information then becomes part of the "specified requirements" against which the auditor will assess the company's QMS.

Consequently it is quite acceptable for the audits to be carried out in 3 stages:

Stage 1:

Evaluate (form an idea of the value of) the content of the documentation against the requirements of the relevant Quality Management Standard (e.g. ISO 9001:2015).

This task will usually be carried out by the Lead Auditor (i.e. systems audit).

Stage 2:

Audit selected activities to ensure that they are being carried out in accordance with the procedures described in the QMS documentation, and that they comply with the intent of the Standard (i.e. compliance audit).

If the documentation fails to provide adequate information about how the company fulfils any part of the requirements of the Quality Standard, this should be discussed with the company's Quality Management Representative during the audit (or pre-audit visit) and, if no satisfactory explanation is forthcoming, declared as a 'finding' of the audit.

Such matters should, of course, be kept in mind when deciding on the 'audit sample'.

It may be decided that requirements that have not been satisfactorily addressed within the Quality system documentation are worthy of further specific investigation.

Stage 3:

Process Audit documentation (see relevant paragraphs in Section 4 & 6).

 

Table of Contents ↑
 

The Pre-Audit Visit

The Lead Auditor usually undertakes such visits. They can serve one or more purposes:

  • To help identify areas of the organisation's activities which are not included in the QMS documentation.
  • To help identify which clauses of the Quality Standard are applicable (i.e. exclusions from Clause 7)
  • To help the auditee to understand the audit process more fully.
  • To get a clearer picture of the geography and scale of the organisation, to assist in audit planning.

Even if the information can be obtained from the documentation supplied, it is often advantageous to both parties to have a preliminary meeting between the Audit Team Leader and the company's Quality Management Representative.

This is especially true if the Lead Auditor and Auditee Company have not had any previous contact (e.g. a prior audit or survey), as it allows the Lead Auditor to gain a better view of what the Auditee Company does.

Such a meeting may be used to discuss any shortcomings in the documented QMS, and whether or not the auditees are ready for an audit on the proposed date.

However if the proposed audit is to go ahead, the auditor should refrain from giving any premature indication of success or failure.

It may also be possible for the Lead Auditor to draft an audit programme, and have it agreed during this visit.

 

Table of Contents ↑
 

Summary

Planning for an audit is a substantial task, carried out predominantly by the Lead Auditor.

The first requirement is to agree the scope of the proposed audit.

  • The audit sample is selected to fit into the audit strategy and the declared scope.
  • The audit programme puts timing into the audit sample and is agreed with the auditee.
  • The agreed programme is then explained to the audit team at a briefing meeting.

Table of Contents ↑
 

Checklists / Aide Memoires

Overview

Let’s look at the reasons for developing checklists, the benefits that can be derived from their use, and identify the factors to be taken into account when compiling checklists for audits.

 

The Benefits of Checklists / Aide Memoires

Pre-planning the audit by preparing checklists is one of the techniques of effective assessing.

The use of checklists:

  • Helps to ensure that the auditors are well briefed about the objectives and scope of the audit.
  • Helps to ensure that the audit sample is well balanced.
  • Allows the Lead Auditor to evaluate the preparatory work carried out by other members of the team.
  • Helps the auditors to control the pace of the audit.
  • Is useful if there is a need to rework the assignment of audit tasks to individual auditors.
  • Provides a record of the specific areas and activities investigated during the audit.

Once the audit programme has been agreed, the audit team can complete the planning of the audit by deciding what aspects of the QMS they shall examine in each work area/ process to be visited. This is done by preparing checklists.

In preparing checklists, an auditor is defining the sample of activities which is to be investigated in the part of the audit for which he/she is responsible. While auditing, the auditor will use the checklist as an aide memoir, to provide a reminder of what he/she had planned to investigate.

To reach an informed judgement about the degree to which the organisation complies with the QMS requirement, the auditor must obtain factual evidence. The audit sample must be selected so that appropriate factual evidence can be obtained. To carry out this difficult task effectively requires skill, which will only be developed with experience of auditing.

The checklists should be a good servant but never be the master of the auditor. The auditor may come across information which, if followed up, may provide a valuable insight into the way the company manages quality. However, deviation from a pre-prepared checklist should only be done if time is available in the programme, and the overall objective of the audit will not be jeopardised by such a deviation. In general, if an audit has been well planned and the checklist carefully prepared, deviation from the checklist will not be necessary.

 

Table of Contents ↑
 

Preparation of Process Checklists

Before preparing the checklists the auditor should be come fully conversant with the objectives and scope of the audit, and with the documents which specify the QMS requirements, relevant to that process.

There should be a separate checklist for each process or work area to be visited. Sometimes it may be beneficial to have more than one checklist for a single process, if there is more than one function applicable to that area, e.g. production and inspection.

The number of items to be included in a checklist will depend on the time available for that part of the audit, to be assured of the effectiveness of the process in question.

The checklist questions should be pertinent to the process inputs, resources and controls applied, and actual output (versus expected output).

It is particularly useful if the checklists save the auditor time by identifying the particular aspect of the standard or the QMS to be investigated. When preparing a checklist, therefore, an answer recommended is to use:

  • The company's QMS documentation, e.g. a section or paragraph of the Quality Manual.
  • The relevant QMS Standard, e.g. a clause of ISO 9001:2015.

An auditor's personal experience is also an obvious source of ideas of which aspects to investigate in a given situation (being aware of possible bias).

 

Table of Contents ↑
 

Styles of Checklist

The amount of detail included in the checklist about the activities for investigation should suit the needs of the individual auditor. The auditor may write out a series of questions, or simply list headings. Generally, less experienced auditors will benefit from making out more detailed checklists.

There are a number of question types that can be used in checklists:

 

Criteria

Asking the question 'Does .... happen', or 'Is it the case that ....'. The response expected to such questions is a clear yes or no. Any fudging or reluctance for the auditee to commit themselves indicates the need for further investigation.

 

Bullet Points

Using simple, short, bullet points instead of fully phrased questions. This saves time in writing out the checklists, but should only be used when the auditor has sufficient experience to be able to fill out the relevant questions as they go along.

 

Full Questions

This is probably the easiest approach to adopt for inexperienced auditors. Writing out detailed questions in full is time consuming, but provides clear guidance when conducting the audit. The main danger is that potentially interesting avenues of enquiry are not pursued because questions were not written for them during the preparation of the checklist.

 

Supplementary Questions

One way of countering the potential restrictions caused by the use of detailed questions is to include supplementary questions, which can be used to follow up avenues of enquiry as they develop. This requires a lot of forethought, as it entails considering all possible (or likely) responses to particular questions, and then considering what questions that response would provoke.

 

Summary

The purpose of auditor checklists is to provide a reference document for use during the audit process, which will help the auditor keep to the prepared plan for the audit both in terms of time and content.

The style of the checklist is at the auditor's discretion. In preparing a checklist the auditor should:

  • be conversant with the QMS
  • relate the checklist to the process or area to be audited, i.e. investigate:- o the input to the process o resources applied o controls applied o the activity/process itself, and o the output of the process
  • relate the work to be done to the time available.

Table of Contents ↑
 

Opening Meeting 

 

Purpose and Format

The performing of an audit begins with an opening meeting at which the objectives and scope of the audit are made clear to the auditee‘s managers and arrangements for the audit are confirmed.

The opening meeting is held at the location at which the audit is to be performed, and is chaired by the Lead Auditor.

The opening meeting provides the opportunity to establish the general rules for the conduct of the audit and should follow an agenda set by the Lead Auditor. Matters to be covered should include:

  • Introduction of personnel, both auditors and auditees (an attendance list should be circulated).
  • Explanation of the objective and scope of the audit and, if necessary, a statement about the authority for conducting it.
  • Review of the audit programme, as previously agreed. The auditors should confirm that there would be representatives of the management for them to talk to at each location.
  • Introductions of the individuals who will act as 'guides'.
  • Identification of audit responsibilities, e.g. which auditors will assess which processes? Who will sign Non-Compliance Reports (NCRs) for the auditee?
  • Confirmation of the status of the Quality Management System documents used by the auditors to prepare the audit.
  • Confirmation of the procedure for communicating with the auditee, including notification of nonconformities, and who is the principal interface should problems arise:
  • Confirmation of logistical arrangements, e.g.:
     
    • Meeting place for the audit team
    • Access to photocopier, telephone, e-mail, etc.
    • Lunch arrangements
    • Transport arrangements, if applicable
    • Time and place for the closing meeting.
    • Response to any questions put by the auditee management.

If previously asked, the Lead Auditor should suggest that the auditees should have present at the opening meeting:

  • Someone to represent their Senior Management.
  • Their nominated Quality Management Representative.
  • The individual with whom arrangements for the audit were made.
  • The guides.


Table of Contents ↑
 

Conduct of Opening Meeting

Many companies adopt the policy of having their management strongly represented at opening meetings to demonstrate to the auditors the company's commitment to their Quality Management System.

Other companies send managers to opening meetings as a means of communicating the quality message and gaining commitment to the Quality Management System.

However, it is a matter for the Auditee Company to decide whom they will have present.

The auditors may have questions of a general nature to ask about the Quality Management System of the company.

It is sometimes appropriate to ask these during the opening meeting.

However, if there are a large number of people attending the meeting, it is better to keep the questions for a subsequent discussion with the Quality Management representatives to avoid keeping managers away from their work longer than is necessary.

Also, if the auditor asks for information about the Quality Management System during the opening meeting there is a risk that lengthy explanations by the auditee's management will extend the meeting and upset the audit programme.

The auditors should ask questions in less formal settings when they can, without discourtesy, interrupt if an explanation becomes unnecessarily long or irrelevant.

The Lead Auditor should go into the opening meeting well prepared with a written agenda and should conduct the meeting in a business-like and professional manner.

He/she should also ensure that a record is kept of those attending and particular concerns raised.

The meeting should be short (no more than 30 minutes) and to the point.

Presentations by the company - such as slide shows or videos - should be politely declined, as they would take time out of the audit programme.

 

Table of Contents ↑

 

Here is a summary of the six key factors to bear in mind for your opening meetings:

 

  1. An opening meeting is held with the auditee‘s management at the beginning of each audit.
  2. The Lead Auditor sets the agenda and chairs the meeting.
  3. The meeting is held to perform introductions, confirm the audit details including logistics, and answer any auditee queries about the audit.
  4. Opening meetings should be kept as short as possible.
  5. The meeting should confirm the date and time of the closing meeting.
  6. Confirms confidentiality to the Auditee‘s Management.


Table of Contents ↑

Conducting the Audit 

Overview

This section describes the process of auditing, and how the auditor maintains control over the pace and conduct of the audit.

Investigation techniques including interviewing, the taking of notes and recording and verification of apparent nonconformities are explained.

Ethical behaviour and how an auditor should respond to different types of auditee reactions are discussed in previous sections.

 

The Investigation

The Lead Auditor must keep control of the situation at all times.

On entering a process area/ department the auditor should quickly review the audit plan with the guide and manager or supervisor of the department and accept their advice as to the sequence in which it would be easiest to investigate the various activities.

The auditor should decide how much time should be spent discussing the management control procedures with the responsible manager.

This decision will depend on how much information was obtained from the Quality Management System documentation reviewed prior to the audit.

The auditor should then work systematically through the items on the relevant checklists.

If no evidence of any nonconformity or deficiency is found, the auditor can and should proceed very quickly.

Once the audit sample (defined in the audit plan) has been covered, the auditor should move on.

If the audit sample clearly shows the activity being investigated to be in compliance with specified requirements, it is pointless for the auditor to increase the audit sample in the hope of finding something wrong!

Remember that the benefit of sampling is that it saves audit time; the limitation is that the auditor has not seen everything.

If there is evidence of a problem, a further investigation should be carried out, possibly going beyond the planned audit sample.

However, the auditor must keep in mind the need to carry out the rest of the audit as planned and must avoid spending an excessive length of time exploring a single aspect of the QMS.

Throughout the investigation the auditor must guard against being side-tracked onto the investigation of minor deficiencies of little practical significance to the QMS and so failing to spot major problems.

If there are several auditors operating, it is essential that they get together at least once a day to exchange information.

 

Table of Contents ↑
 

Interviewing

The principal way in which auditors obtain information about the functioning of the QMS is by asking questions.

By so doing they supplement the information available from written material and provide the auditee with an opportunity to explain systems and work practices.

They also obtain information about the degree of understanding of, and commitment to, the QMS.

Questions should be directed to the auditee management, supervisors and people actually carrying out the work.

It is, of course, necessary to obtain the permission of the auditee‘s management representative (the manager or supervisor of the area or department, or the guide) before directing questions to members of the workforce.

If the auditee ‘s representative considers that the question which the auditor has asked has not been understood or has been directed to the wrong person he/she may say so and the auditor should seek the representative's help in finding the right question and the right person to ask.

If a supervisor tries to answer on behalf of a subordinate, the auditor should ask the supervisor politely to allow the subordinate to answer.

If, after the question has been answered, the supervisor thinks that the answer was wrong, the supervisor should be allowed to provide an alternative explanation.

In this way much may be learned about how the management train, instruct and supervise the workforce.

The asking of open questions (which cannot be answered with "yes" or "no") should be developed - followed by the request "please show me".

Top management are expected to participate when their organisation is being audited, and Auditors should devise (diplomatic!) checklists to seek confirmation of their commitment and participation in the QMS.

 

Table of Contents ↑
 

Investigation Techniques

To obtain facts about the implementation of the QMS it is necessary for the auditors to examine “documented information”, e.g.:

- Documents
- Computer records
- Work in progress
- Equipment
- The working environment

The size of samples examined need not - and indeed cannot - be large.

Scrutiny of half a dozen design specifications, work plans, stock records, etc usually suffices to produce evidence that the system is or is not satisfactory.

It is advisable to check 3 or 4 different products and/or operations to see if the implementation is consistent.

If the initial sample leaves the matter in doubt - the auditor should look at a larger sample. (See also ISO 19011:2018 - Annex A; Clause A6 for further guidance on Sampling).

For some QMS requirements, such as document control, evidence of compliance will be obtained at virtually every stage of the investigation.

The total sample is ALL the documents scrutinised in the course of the audit.

Auditors should, where possible, select their own sample for examination and not leave this to the auditee.

If an auditor asks to see something and finds it is kept elsewhere, it is usually good practice to go with the auditee to fetch it or see where it is kept.

If the auditor does not accompany the auditee, it is possible that the auditee will "fail" to find evidence that proves non-compliance and might take a long time to return.

 

Table of Contents ↑
 

Recording Deficiencies

As the investigation proceeds, the auditor should make brief notes of what is seen and heard. If a deficiency is suspected or indeed confirmed, the auditor should record in detail all the relevant facts such as document references, item identification etc. The job titles, and where appropriate, the names of the people with whom the deficiency was discussed should be recorded. This 'observation' should be summarised in the 'comments' column of the checklist.

This evidence is usually referred to as OBJECTIVE EVIDENCE, which is defined as follows:

“Data supporting the existence or verity of something” (BS EN ISO 9000:2015)

NOTE: Objective evidence may be obtained through observation, measurement, test, or other means.

The key parts of this definition are that the objective evidence is:

  • Factual;
  • Based on observations, measurements or tests;
  • Verifiable.

As soon as an auditor has evidence of a non-conformance the auditor should inform the auditee. The reason for doing this is so that the auditee may help the auditor to understand the system and significance of the facts that have come to light.

If, after hearing all the explanations and completing the investigation of the facts, the auditor considers that there is objective evidence of a non-conformity, the auditor should inform the auditee of the finding, that is, exactly what the deficiency is and what objective evidence supports that conclusion. The auditor should also try to indicate how serious the nonconformity is considered to be. This is called the 'Quality Risk'. If time is needed to consider the significance of the finding the auditor should tell the auditee so.

It is good practice for the auditor to write a brief factual statement of the observations (nonconformity or deficiency statement) and have this accepted and signed as factually correct by the auditee before the audit party moves on. Where this is not done, the auditor should inform the auditee‘s management representative verbally about the deficiencies found. Informing the auditee‘s representative of nonconformities as they are found is a courtesy that can increase the effectiveness of the audit by improving the atmosphere in which it is carried out.

The findings are not written up in the form of nonconformity statements before leaving the department in which they were found, but this should be done at the first opportunity, i.e. at lunchtime or in the evening, when the Audit team meets. When writing nonconformity statements, remember that:

  • A deficiency or nonconformity must be a failure to comply with the letter or the intent of a requirement (which may be a documented requirement or may have been communicated verbally to the auditor by auditee company staff).
  • Findings must be supported by objective evidence and this evidence should be included in full in the Non-Compliance Report (NCR).
  • Nonconformity statements should be no longer than necessary, but they must be easily understandable.
  • It is helpful if nonconformity statements are worded in a manner which directs the auditee’s management precisely to the deficiency.
  • Avoid placing blame on individuals by name.

 

Table of Contents ↑

Format of Nonconformity Statements

 

Nonconformity statements should be like ‘BACH’:

Brief

Accurate

Complete

Helpful

In practice, it is often difficult to meet all four criteria, and it may be argued that the requirements for "completeness" and "brevity" are mutually exclusive. A compromise is often required.

Brief

The auditor is likely to have many nonconformity statements to write before presentation of the audit results at the closing meeting.

Furthermore, it is often a requirement that the statements are read out at the meeting. Clearly, it is in the interests of both the auditor and the auditee to keep each nonconformity statement as brief as possible, without making it unverifiable and useless as a means of initiating effective corrective action.

Accurate

Nonconformity statements must always be accurate. Inaccuracy may invalidate the nonconformity, as it will not be accepted by the auditee, and worse, may damage the credibility of the auditor, casting doubt on the accuracy of other findings.

Complete

Nonconformity statements should contain all the information necessary for subsequent verification of the audit findings by the auditee. In general nonconformity statements should address:

  • WHERE the nonconformity was observed (e.g. "At the No 1 loading bay . . .").
  • WHO was involved (e.g. ". . . the Store manager was in possession of . . .; the Fork-lift driver stated that).
  • WHAT (e.g. ". . . an uncontrolled copy of ‘Control of Nonconforming outputs’ requirements, FGSR revision 3" ; ISO 9001:2015; para. 8.7).

Nonconformity statements must include all applicable equipment serial numbers, document references, location codes, etc to allow verification.

Helpful

If a nonconformity against the documented QMS is raised it is common to reference the requirement, and on occasions it may be helpful to restate the requirement in full (e.g. “this does not comply with the Quality Manual Section 13.4 which states that….”). Providing information as to the nature of the nonconformity is helpful to the auditee ‘s management, who might not be fully conversant with every detail of the QMS. However the auditor must balance the need for brevity against the need to be helpful. If the nature of the nonconformity is obvious, there is no need to state it in the nonconformity statement.

 

Table of Contents ↑

 

Points to Remember when Conducting the Audit Activities...!

All too often an auditor is faced with auditing an organisation which considers his/her visit an unnecessary intrusion, provides a strong argument indicating that everything complies with the standard, attempts to keep the auditor in a conference room in order not to disturb the work, or provides "red-herring" statements to deflect the auditor from his real purpose and so use up available audit time. The Lead Auditor must take control of the situation from the start and keep the objectives of the audit firmly in mind, together with the policy on the issue of non-conformities. Findings should be reviewed with the rest of the team regularly - at least at the end of the day and prior to the closing meeting (co-ordination, rather than too much group work, which may be too time-consuming).

The objectives of the audit have to be clearly established beforehand. Very often the client requesting it may not have a clear idea of what he/she wants, or ideas may differ from those of the auditor(s). Any such differences must be discovered and resolved.

 

Audit Investigation Techniques

Auditors should not be afraid to "nose about". Uncontrolled copies of specifications, out of date test plans, unlicensed copies of software packages are not likely to be found conspicuously displayed - but their existence in a filing cabinet or in a directory not in the manual prejudices control of product quality. However, before exploring or examining, the auditor must always remember to seek permission form the auditee. The auditor must ensure that any evidence of non-compliance with the QMS found in this way is relevant to the purpose and scope of the audit.

During the audit interview, the auditor must look at the person being addressed but may learn much from the "unguarded" facial expressions and remarks from those nearby who are not directly involved in the discussion. In this way the auditor may gain useful leads to problems areas and particularly to evidence of failure to comply with management instructions. Auditors are often credited with uncanny luck when after a short investigation they turn up factual proof of deficiencies from an indigestible mass of evidence. The truth is that experienced auditors get many "leads" from observing the attitudes and reactions of the people who are actually carrying out the work activities.

As was stated earlier, the auditor has to use judgement as to how long to pursue a given concern. Taking into account the seriousness of the concern and the time available in the audit programme, the auditor must decide whether a little more research will uncover a problem, or whether it is wiser to move on to another topic.

The auditors should include in their notes all the information needed to identify the items which they have examined as it may be necessary to include this information in any related non-conformity statement.

 

Auditee Reaction

The reactions of the members of the management and staff of an auditee company may range from outright and outspoken hostility to willing co-operation towards a perceived common goal of improved quality performance.

The auditor must accept full responsibility for the successful conduct of the audit, and must be prepared to encounter the full range of auditee reactions during each audit.

Hostility to the ideas of being "investigated" is sometimes manifests itself in obstructionist tactics that include:

a. Diversionary tactics, such as offers to explain procedures, show off equipment, discuss technical achievements.

b. Delaying tactics such as 2 hour lunches at an hotel far from the audit site; the guide or manager accompanying the auditor going off to fetch somebody or something and not-reappearing for 40 minutes; frequent breaks for coffee.

c. Arguments about the "practical significance" of established failure to comply with requirements of the QMS Standard.

However, the auditor should always bear in mind the possibility that some of the above situations may arise not because of opposition to the audit but because a department lacks experience of the auditing process. It is possible that the company may have been visited previously be auditors who were more interested in lunch and a tour of the facility than in investigating the operation of the QMS. Patient and persistent explanation of how the auditor wishes to conduct the audit may be more appropriate than resentment.

The representatives of the auditee company have the right to challenge any of the auditor's conclusions that are not adequately supported by objective evidence. Similarly, the auditee may rightly challenge the auditor for any criticism of the QMS relating to absence of features not specifically required by the contract, the relevant QMS Standard or the product standard/code of practice. Further, the auditee may challenge criticisms of the QMS for the absence of features relating to specified requirements are not appropriate to the services or products being supplied.

Auditors can frequently strike up an excellent rapport with the management and workforce of the auditee company. There can be common interest in checking for deficiencies in practices in order that the QMS may be improved. The auditor can further improve this rapport by being as constructive as possible with comments.

 

Table of Contents ↑

 

The Audit Party's Roles

A reminder of the parties involved, and their roles:-

a) Auditee (the “organisation being audited”)

It is worth noting here that the auditee also has "duties & responsibilities", which include the auditee‘s management: -

  • informing all relevant employees about the objectives and scope of the audit;
  • appointing responsible members of staff as guides to accompany the auditors;
  • providing all the resources which the audit team will require to conduct an effective & efficient audit;
  • co-operating with the auditors to ensure the audit objectives are achieved.

b) Auditor (the “person with the competence to conduct an audit”)

NOTE: To perform a quality audit, the auditor must be authorised for that particular audit. An auditor designated to manage a quality audit is called a "Lead Auditor" (previously, "Lead Assessor").

c) Audit Client (the “organisation or person requesting an audit”)

NOTE: The client may be:

  • The auditee wishing to have its own system audited against some QMS standard;
  • An independent agency authorised to determine whether the QMS provides adequate control of the products or service being provided (such as food, drug, nuclear or other regulatory bodies);
  • An independent agency assigned to carry out an audit to list the audited organisations' QMS in a register.

The Pre-Closing Meeting

The Lead Auditor will have called together the Audit Team at least once a day during the audit, to compare notes. He/she:-

  • synthesises the findings of the whole team
  • checks completion of Non-Compliance Reports (NCRs)
  • must plan the Closing Meeting, focusing on clarity and consistency
  • must ensure that nonconformities, corrective & preventive action, and observations must be appropriately highlighted and accepted by the auditee.

Audit Programme Records

As we have seen, in Section 3, records are still important in ISO 9001:2015; they should be maintained to demonstrate the implementation of the audit programme and should include the following:

a) records related to individual audits, such as:

  • audit plans,
  • audit reports,
  • nonconformity reports,
  • corrective and preventive action reports, and
  • audit follow-up reports, if applicable;

b) results of audit programme review;

c) records related to audit personnel covering subjects, such as:

  • auditor competence and performance evaluation,
  • audit team selection, and
  • maintenance and improvement of competence.

All Records should be retained and suitably safeguarded in a manner suitable to the organisation, and its clients.

 

Table of Contents ↑

 

Conducting an audit… at-a-glance:

  • The Lead Auditor must control the pace of the audit by working through the schedule.
  • The interview is the principal way in which the auditor obtains information about the functioning of the QMS.
  • Ask the "right" person and the "right" questions. 'Please show me?'
  • Examine the evidence against the QMS requirements.
  • Take detailed notes on the evidence obtained.
  • The auditor's own opinions and preferences should be suppressed.
  • If the auditor finds evidence of nonconformity with QMS requirements, they shall be recorded in the form of "nonconformity statements".
  • The objective evidence contained in the statements shall be:
    • factual, based on observation, measurements or tests, verifiable.
  • Nonconformity statements should include - who, what, where - and the nature of nonconformity if this is not obvious. Dependent on the organisation's policy, these statements may be verified by the guide accompanying the auditor.

Table of Contents ↑
 

 

In-depth reading for subjects relating to Day Four

 

Nonconformity / Non-Compliance Reporting

 

Definition: ‘Nonconformity’

"Non-fulfilment of a requirement" (ISO 9000:2015); A report of a deficiency found during an assessment or audit.

NOTE:  do not make reference to "errors", "problems", "faults" or “failings”.

 

Types / "Quality Risk"

The category of nonconformities is determined by the auditors based on the procedures set down by their employers / Certification Body.    Below are typical classifications, given as an example:

Category 1 (MAJOR – CRITICAL)

The absence of a system required by the quality standard or clear evidence of the existing system being ineffectual.

Category 2 (MAJOR)

One major nonconformity or a significant number of minor nonconformities found, relative to a particular system, which when viewed collectively can indicate weakness within that system or its controls.

Category 3 (MINOR)

A single minor lapse within a particular system which can be readily rectified.

NB: Category 2 nonconformities can be a single MAJOR nonconformity, as well as a collection of Category 3 non-compliances

Category 1 and 2 (MAJOR) nonconformities would normally preclude acceptance by the assessing  body until agreed corrective action was completed.

Category 3 (MINOR) nonconformities would not normally preclude acceptance.  Generally a “pass  with reservations” is granted, the reservations being removed upon the company supplying evidence of clearance of the nonconformity.

If the assessment was undertaken as a second party it would normally be up to the client to decide  on the acceptance status of a nonconformity.

 

Table of Contents ↑

 

Reporting Nonconformities

A written record in the form of an NCR is not usually raised as soon as the error is discovered but only after the audit team meets, and with the agreement of the Lead Auditor (NCR = Non-Compliance Report, see p. 14:5).  However, critical nonconformities should be reported by the Lead Auditor to the auditee immediately.

There should be sufficient detail in the report to clearly identify all the facts concerned, especially the requirement and the evidence of the non-conformity i.e. the “WHAT, WHERE, WHEN, WHY, WHO, HOW” circumstances.

 

Objective Evidence

It is very important during an assessment to establish that the facts you have investigated are a true and accurate reflection of the way in which the QMS is applied.  Often a member of the workforce may give a rehearsed version of the controls being applied.

The auditor must look for evidence in the form of records, documents and activity controls to prove that the system is being controlled.  This is known as “seeking objective evidence.

        “Objective evidence = find the proof”

This also applies to nonconformities.  Always look for objective evidence when a nonconformity is found.  The occurrence discovered may be the effect and NOT the cause.

        “Objective evidence” = find the cause”

Individual nonconformities are noted as errors, mistakes and omissions in the QMS as found.  They are not normally initially graded but are purely referred to as “observations”.

As the assessment progresses, and at least every day, the number of NCRs should be reviewed to ascertain whether the failure is a “one off” situation or is a pointer which combined with other NCRs indicates a major system failure.  By the end of the audit and before findings are presented by the management, each NCR is to be categorised according to its effect on the specification.  The Lead Auditor will make the decision on categories of NCRs at the pre-closing meeting briefing.

It is normal practice to present each major NCR against its relevant section of the chosen specification.
Care must be taken when grouping nonconformities – which one should be taken separately, then grouped where appropriate in a summary.

Major nonconformities should be supported by the evidence gained through individual minor occurrences.

 

Table of Contents ↑
 

Points to Remember:

  • analyse nonconformities, making reference to the area where they were found and to the relevant clause(s) in the quality standard.
  • note observations as the audit progresses
  • look for patterns and for areas where emphases lie
  • be prepared to adapt the audit programme to enable further evidence to be gathered

Definitions – A Reminder!

  • Observation: A statement of fact made during an audit and substantiated by objective evidence. (Common usage – not in ISO 9000)

NB:  With the issue of ISO 9000: 2015, some new definitions emerged, as follows:-

  • Audit Conclusion: outcome of an audit after consideration of the audit objectives and all audit findings
  • Objective Evidence: data supporting the existence or verity of something.
  • Context of the Organisation: combination of internal and external issues that can have an effect on an organisation’s approach to developing and achieving its objectives.
  • Risk: effect of uncertainty
  • Outsource: (verb) make an arrangement where an external organisation performs part of an organisation’s function or process.

Table of Contents ↑

 

The Pre-Closing Meeting Arrangement

The Lead Auditor will have called together the whole audit team at least once per day during the course of the audit to compare notes.  The Lead Auditor controls team members' activities throughout the audit.

The Lead Auditor synthesises the findings of the whole team, bearing in mind that all non-conformities should be presented in such a way that they are immediately and unambiguously understood and accepted.  The auditee must be encouraged to take any necessary corrective action arising from nonconformities.

Whenever a Non-Compliance Report is raised, the Lead Auditor must check that it has been appropriately completed, including reference to the relevant Quality Standard sub-clause.

Finally, the Lead Auditor must decide upon the approach he/she intends to take at the closing meeting and will tend to do one of the following:

  • categorise nonconformities in descending order of importance beginning with major quality risks;
  • list nonconformities according to the Quality Standard being used, progressing through the chronological sections and sub-clauses;
  • have each team member present findings on an individual basis, usually beginning with major quality risks and progressing in descending order of importance.

Above all, preparations for the closing meeting must focus upon clarity and consistency, ensuring acceptance of and corrective action for any nonconformities raised, particularly in the case of the more serious ones.  Observations must also be clearly summarised, as these will then serve as most useful pointers to improvement for the auditee.

 

Table of Contents ↑

 

Common Nonconformities

Lists of nonconformities which could be found during the evaluation of elements of a quality management system.  These lists are not complete but they illustrate areas where special attention may be needed.

Whilst it is relatively simple to correct an individual deficiency, such as a missed operation, a drawing with the wrong revision number, etc., the basic cause of the deficiency may be more difficult.

In some cases, it may be due to lack of training, in others a breakdown in the control system, whilst in many manufacturing departments, it could be due to faulty equipment or the use of incorrect material.

It is important to analyse the degree of deficiency to establish the root cause and to agree a corrective action which should ensure that it will not recur.

One other factor to bear in mind is the attitude of company management at all levels towards quality management systems.  Whilst most enlightened and successful companies recognise the need for quality management, many other, particularly smaller companies, tend to regard it as a necessary evil.

If the Quality Manager does not show much enthusiasm for the subject, it probably means that adequate backing from his/her directors cannot be relied upon.

No evidence could be provided to show that the QMS was preserved during changes to significant processes. Setting of objectives is not measurable. Failure to address obvious risks during the planning of the product or service. And the lack of evidence of a risk-based approach to Internal Auditing.

 

Table of Contents ↑

 

Stores

  • Areas for goods received, in quarantine, passed inspection and those rejected not segregated and clearly defined.
  • Stores bins inadequately labelled and poorly cross related to stock cards.  Raw material not fully identified.
  • No arrangements for date labelling limited life stock.
  • No arrangements for segregating customer supplied items.
  • Lax security of access to stores by unauthorised persons
  • Stored items not protected from damage or corrosion.
  • Material to which material certificates refer is not precisely identified.

Nonconforming Material

  • Review area not adequately segregated from the acceptable material.
  • Operating procedures not available.
  • There is no authorised personnel list.
  • Repetitive deficiencies not adequately recorded.
  • Rework and repair procedures and instruction not available, or inadequate.
  • Reworked items are not re-inspected prior to acceptance.
  • Decisions to use non-conforming materials are made by persons without the delegated authority, and not properly recorded.
  • Authority for disposal decisions not clear.

Table of Contents ↑
 
 

The Closing Meeting

 

The following format of the Audit Closing Meeting is recommended as a guide and the Lead Auditor should alter the agenda to suit the circumstances of the occasion.

Audit findings will have been informally declared to Supplier representative when they were found. These are formally reported at the Closing Meeting to the company management.

At all times, the Lead Auditor chairs the meeting.

 

Introduction

Prior to the Closing Meeting sequence, the Lead Auditor will have performed the following tasks in addition to managing the Audit team:

The examination of the records presented to him to ensure that the reports are based on objective and factual evidence. The Supplier will find it difficult to contest audit findings based on fact. Nonconformities should be presented in such a manner that the Supplier would be encouraged to take corrective action.

The Lead Auditor will have collated the provisional Non-Compliance Reports and observations and made judgement on the effectiveness of the Audited Quality Management System and the associated quality risk.

The Lead Auditor is required to judge when a series of individual Non-Compliance Reports from the Audit Team constitute sufficient quality risk to cause an official Non-Compliance Report to be raised.

The Lead Auditor must decide on the quality risk category when a difference of opinion between the Auditor and the Supplier occurs.

The Lead Auditor should ensure that in conjunction with each documented non-conformance, the corresponding reference to the Supplier Quality Management System is identified. Where nonconformity is documented, reference to the ISO 9001:2015 sub-clause must also be made.

 

Preparation for Closing Meeting

In concluding any audit activity, the professionalism of presentation made by the Audit Team is important. The findings must be presented such that they are quickly an unambiguously understood and accepted. In preparing his report, the Lead Auditor must decide if any of the nonconformities that arise are due to:

  • i) Simple errors by an individual.
  • ii) Minor errors of judgement.
  • iii) Areas where there could be difficulty in interpreting effective corrective action.

If such nonconformities exist then the Lead Auditor must carefully judge whether or not he wishes to formally categorise them as evidence of nonconformities.

Several approaches could be adopted in the presentation of the nonconformities, but whichever is chosen should be made clear by the Lead Auditor to the Audit Team. There should be no deviation by the Audit Team from this plan.

One such approach is:

  • Categorise the nonconformities in descending order of quality risk commencing with Major Quality Risks. For the benefit of the Supplier define Major and Minor quality risks (reinforcing these definitions throughout the Audit will have prepared the Supplier to the Auditor role as an Ideal Customer).
  • Quote the Non-compliance Report number.
  • State the relevant sub-clause in the ISO series document and its title.
  • Describe what the audit team have identified to be nonconforming in relation to that sub-clause.
  • Agree the timescale necessary to ensure conformance which would satisfy the recommendation resulting from this audit.

The Lead Auditor then continues his/her preparation by similarly listing other nonconformities - moving down to the Minor Quality Risks.

The Lead Auditor should be prepared to display all of the Audit Teams nonconformities and hand over those which have not been used to raise Non-Compliance Reports - with the comments, "The Reports are provided to you for action, but they will not appear in the Audit Summary Report. The expectation is that they will be scrutinised and will feature in the next audit to be held in that particular area. They may however be referred to by the Audit Team in subsequent Audit or Surveillance Visits".

 

Table of Contents ↑

 

Preparing the Recommendation

The Lead Auditor must take full account of the following factors when considering the final recommendation for the Closing Meeting:

  • Number of nonconformities recorded.
  • Relative weighting of the Major and Minor Quality Risks.
  • Audit extent and depth - taking into consideration the Supplier's scope of operation and the sampling nature of the audit.
  • Supplier's ability to identify the cause of nonconformities, so that the corrective action addresses the primary cause as well as the symptomatic effects.

The Lead Auditor has several recommendation options:

  • Certification of the scope audited with surveillance commitment.
  • Conditional Certification, subject to re-audit of corrective action of Major Quality Risks within a period of 3 months.
  • The decision not to recommend Certification.
  • Withdrawal of any Certification already awarded.
  • Completing the Audit Summary Report.

The Audit Summary Report must be carefully prepared by the Lead Auditor. It will become the permanent record of the exercise and it must therefore be a complete and true record of the audit activities. Its contents must be based on observed and recorded nonconformities. It should contain the Audit Team's findings, a statement on the corrective actions necessary and the recommendation regarding certification.

The Audit Summary Report must be capable of "standing in isolation" as it will eventually be examined by the UKAS (see Section 20) and/or the Department of Trade and Industry (DTI). The professionalism and integrity of the Auditing Organisation is openly reflected in the Audit Summary Report.

 

Table of Contents ↑

 

Closing Meeting Arrangements

Representation of the Supplier company is, of course, at the discretion of their management. However, in the event of the audit disclosing many significant nonconformities in the Quality System, the Lead Auditor should strongly urge that senior management attend the meeting so that they can hear first-hand report of the findings.

For the Supplier company, the presence of their senior managers at the Closing Meeting is a clear demonstration of their commitment to the Quality System. The auditors should note who attends the closing meeting and include this information in the audit report.

The Lead Auditor should ensure that the Supplier personnel who are to attend the Closing Meeting are provided with copies of the agenda and any Non-Compliance Reports that will be referred to.

In preparing for the Closing Meeting, the Lead Auditor should brief and if necessary rehearse Team Members of the part of parts they are required to play during the meeting. Insist that spontaneous comments in the proceedings are avoided, and permission is required from the Chair to contribute.

Good news is normally easy to impart at such a meeting but words must be carefully chosen if bad news is to be announced. Words spoken with care and diplomacy will enable the Lead Auditor to inform the Supplier of failure of the audit in obtaining the objective evidence to satisfy the standard in such a way that they will lead to acceptance of the situation.

The Lead Auditor should be able to illustrate the need for corrective action whilst at the same time moderating any feelings of failure which may arise at the time.

During the Closing Meeting, the Lead Auditor should ensure that consistent terminology is maintained in relation to audit activities. Additionally, he should not give the Supplier any opportunity to question a judgement for what seems to be a statement of opinion.

This response from the Supplier often results from the use of words such as "major", "minor", "inadequate" or "significant". Hence, it is important to reiterate the need to allow enough time for preparation of the Audit Team for the Closing Meeting.

Always arrange for one of the Audit Team to take minutes of the meeting, and if/where that auditor is presenting, arrange that another auditor takes the minutes for that slot.

 

Table of Contents ↑
 

The Closing Meeting (Notes)

 

An approach used by experienced Lead Auditors is to request a private meeting with the Managing Director of the Supplier company just before the Closing Meeting so that he may be made aware of the recommendations before they are presented at the meeting. This approach proves to be effective, especially in the case of a deferral or the decision not to recommend registration is being made.

In the event of a major audit with a large Audit Team, it is good practice to intersperse auditors with the Supplier company personnel around the table; hence minimising the Us-and-Them situation. This is particularly important if there is a large element of bad news in the Closing Meeting for the Supplier.

As a general guide to the categorisation of quality risk, the following benchmarking method is commonly used:

 

  • Category 1: Significant nonconformity with a company procedure or contract requirement - which therefore represents a fundamental omission of the system.
  • Category 2: Significant number of minor nonconformity with company procedures - which represents a serious system operation threat if left unchecked.
  • Category 3: Minor problem area which merits attention - which represents a relaxation in adhering to system procedures and should therefore be addressed.


Table of Contents ↑

 

Closing Meeting Agenda

The Lead Auditor should quickly assert his authority on the meeting and make it clear that he is in the Chair. The agenda for the Closing Meeting should cover the following points, and attention should be drawn to the agenda, having previously ensured that copies are available to all in attendance:

  • Introductions - quickly, especially if the attendees are the same as the Opening Meeting.
  • The attendance sheet should be circulated - ensure everyone signs.
  • Thanks to the Supplier for their assistance up to and during the audit - mentioning in particularly the Executive responsible for quality, the Quality Manager and the Audit Team guides.
  • The Lead Auditor briefly restates the purpose and scope of the audit and the Quality System Standard, etc. against which the Quality System has been audited.
  • Emphasise the fact that an audit is a sampling exercise and therefore some Non-conformities may have been missed, since it is not possible to cover all activities of the company.
  • The Chairperson (Lead Auditor) should intimate to the Supplier that questioning should be defer until after the Audit Team has presented its findings.
  • The Lead Auditor presents the findings - or the Team presents the findings (as previously arranged).
  • Withdrawals (do not include on the written agenda) - if during the Closing Meeting evidence is presented to show that a finding is incorrect, it should be withdrawn there and then - with an apology expressed. If counter evidence is too long or involved to be reviewed during the Closing Meeting, it should be considered after the meeting.
  • The Lead Auditor presents the audit summary, conclusions and the recommendations.
  • The Lead Auditor invites the Supplier to propose a date by which corrective actions will have been completed - either as they are presented or after they have all been presented.
  • The Lead Auditor identifies an auditor(s) who will be responsible for checking the effectiveness of the corrective actions and the timescale of the visit(s), if required, to witness objective evidence.
  • The Lead Auditor then invites questions from the Supplier Representatives on matters arising from the presentation.
  • The Lead Auditor will invite the senior representative, normally the Managing Director, to sign the Summary Report, thereby acknowledging that the Supplier understands the conclusions of the Audit including the need for any corrective action within the agreed timescale.
  • State when the report may be expected and explain briefly the response expected.
  • The Lead Auditor will then bring the meeting (and the Audit) to a formal end.
  • If the Supplier does not accept the audit conclusions, he has the right of appeal and the Chairman must afford him such an opportunity and it is the Chairman's duty to inform him of the appeal procedure.
  • If the audit leads to a recommendation for certification, the Supplier should be advised when the formal notification will be made - in any case, no longer than one week.
  • As soon as the business of the Closing Meeting is concluded the auditor should thank the Supplier representatives again for their courtesy and depart as soon as possible.
  • A registered auditor is required to maintain a log of audits conducted and a Supplier Representative is required to sign the log. This should be done after the Closing Meeting by either the Quality Management representative or a senior manager.

Example of a Summary Statement:

“The Company Quality System is well documented and generally in conformance with the requirements of ISO 9001:2015. However, evidence indicates that the systems and procedures have not been fully implemented in the contract, process control, training and planning areas. The audit uncovered 15 nonconformities. Of most concern is:

! Lack of an effective system for reviewing Contract quality requirements.

! Evidence of a lack of process control in assembly areas, with no methods of identifying process status.

! Little quality awareness evident for the project management personnel.

! Training in particular areas, especially process control and project management, shown to be ineffective.

! Design systems for the control of quality and design change were found to be ineffective with some significant problems.

! There is a particular need for more frequent reviews of the project management procedures.

In conclusion, the main requirement is for more senior management involvement in, and support for implementation of, effective training procedures and QMS documentation.”
 
 

Table of Contents ↑
 

Follow-Up and Close-Out

 

The following descriptions are geared towards larger audits/organisations. A less ‘heavyweight’ approach for smaller companies will also be discussed.

Follow-Up: This is the sequence of events and actions that are required by the Organisation being audited by the Certification Body in response to any NCRs being raised.

Close-Out: This is the final exercise of the Follow-Up process - which should be a successful verification of responses to the NCR.

By the time the Lead Auditor's formal Report arrives it is not unusual that the organisation will have already started the Corrective Action Process referring to the copies of the Non-Conformance Reports that have been left. In any event, at least the areas and personnel in the job roles referred to in the non-conformances will have had time to start developing possible corrective action strategies.

The process of identifying, implementing and then verifying the Corrective Action required is detailed - with emphasis on the roles of the Organisation’s Quality Representative (QR) as well as on the Certification Body.

 

Internally: The Corrective Action Process

Typically, the Corrective Action process begins with the Organisation Quality Management Representative (or nominee in the quality department), using the mechanism of an internal document called a Corrective Action Request form - commonly referred to as a CAR, or a completed copy of the Auditor's Non-Conformance Report, or ‘NCR’, (depending on company policy).

The process of using this CAR document for the Follow-Up and Close-Out is in four distinct phases; these are:

 

1. Requesting Corrective Action

Details of the non-conformances are sent by the Organisation Quality Department on a CAR, together with a request for corrective action, to the implicated department/area/personnel. This CAR may also include input from the Quality Department as to what corrective action may be appropriate.

The CAR will have any necessary authorising signatures from the Organisation Quality Representative, and is dated to indicate when the corrective action was requested.

 

2. Proposing Corrective Action

From the recipients of the CAR, the corrective action requested is proposed in a brief description in the allotted area of the CAR form. This response should correct the current non-conformance and be adequately robust to prevent recurrence.

This corrective action proposal should include an implementation date - which the management of the implicated areas commit themselves to, and to which they add their signature(s).

On completion of the corrective action proposal section, the CAR is returned to the Organisation Quality Representative (QR) for assessment. If it is agreed upon at this stage then the CAR information may be transferred to the Non-Conformance Report and signed by the QR (who may also include on the NCR the agreed ‘close out’ date).

 

3. Approval of Corrective Action

Depending upon the follow-up routines required by the Certification Body, the Lead Auditor, who is still involved in the post-audit follow up, may then either pass the returned NCR to the auditor who dealt with that particular NCR in the Audit, or may deal with it personally.

The Auditor evaluates the proposed corrective action - for effectiveness in addressing the identified nonconformities and preventing recurrence. If the corrective action is acceptable to the Certification Body representative, the client organisation is informed of the acceptability of the proposal.

If the corrective action is by nature involved or of a long time scale, then the Auditor may request to be updated regularly on the progress of implementation - using progress reports from the QR.

In the event of the proposed corrective action being judged ineffective in addressing the nonconformance the auditor will communicate this to the QR and again request a revised response to the NCR.

 

4. Verification of Corrective Action

On receipt of the auditor’s response, the QR acts upon comments received (as necessary) and the implementation process begins (or continues).

The QR regularly reviews the implementation process up to the point of completion to ensure that the timescale will be met. If the process looks as if it will overshoot the approved implementation date, then a request for an extension is forwarded to the Certification Body.

When the corrective action is judged by the QR to be effective and the timescale has been adhered to - that is, no information to the contrary has been communicated to the Certification Body, then the Lead Auditor responsible for the assessment will contact the QR after the approved Corrective Action date to carry out the Verification exercise (which may be a desk-top analysis of the acceptability of the responses – or an actual visit to the organisation).

The Verification exercise may be undertaken by the originating Auditor, the Lead Auditor or another Auditor may be assigned to the task. In the case of the Organisation working on several NCRs, not all may require Verification Visits, but it is normal for several NCR verifications to be conducted on a single visit, and to be performed by a single Auditor.

The verification investigations are restricted solely to the scope of the NCRs that were raised in the Audit, with the purpose of ensuring that the corrective action agreed has indeed been implemented and is effective.

If the corrective action is fully verified then the Auditor Closes-Out the NCR with a signature and date on the NCR form.

In the event of the Verification Visit uncovering that the corrective action is ineffective, then the NCR is not closed-out and a follow-up submission is requested which references to the original NCR. This NCR is then treated in the same way as the original.

There is obviously a limit on the number of times a non-conformance can be allowed to go through this corrective action route. This is determined by the nature of the associated Quality Risk, the lapsed period from the original Audit and the policy of the Auditing Organisation. Typically, if two attempts at corrective action fail to address the nonconformity, then the audit can be classed as “not recommended for Certification”. The routines associated with further assessments are explained in each Certification Body’s contractual agreements with clients/Auditee organisations.

 

Table of Contents ↑

 

Notes on Corrective Action and Preventive Action

The QR is responsible for determining what effective corrective action is, ensuring implementation and monitoring to verify that it is effective.

Additionally, a NCR can prompt an investigation into the underlying causes of the non-conformance that may involve much more than the action designed to correct the actual non-conformance found. This may be so in the event that the sampling nature of the Audit uncovered a non-conformance in a single area that is prevalent throughout the company. The Lead Auditor reminds the organisation of this fact at the Closing Meeting.

The QR must therefore conduct an investigation to see whether other non-conformances of a similar nature exist. If they do, then the additional information uncovered must be addressed in the proposed corrective action. The same is expected for the preventive action addressing the prevention of recurrence of these generalised non-conformances.

 

Definitions – A Reminder!

‘Correction’ is defined as: “action to eliminate a detected nonconformity”; while ‘Corrective Action’ is similar, but different: “action to eliminate the cause of a nonconformity and to prevent recurrence.”

Do not forget, also, that ‘Preventive Action’ (action to eliminate the cause of a potential nonconformity or other potential undesirable situation – to prevent occurrence) is no longer a factor in ISO 9001:2015, now that “risk” is.

 

Table of Contents ↑
 

Training complete!

This concludes the Auditing aspect of your Lead Auditor training. If you’re reading this, chances are you’ve already sat your CQI/IRCA exam — so first of all: well done. The exam is a milestone, the certificate a feather in your cap, and the qualification a jewel in your CV; but your real “Lead Auditor development” happens in the wild, where audits are rarely neat, never perfectly timed, and occasionally powered by caffeine and pure moral fibre.

Use this manual as a working reference. Revisit it when you’re planning, preparing for, conducting, reporting on, following-up, or closing out audits. Dip in, take what you need, then get back to the real world with a clearer plan.

 

 

Table of Contents ↑

 

A quick “you vs you” checkpoint

If you completed a SWOT Analysis of yourself in relation to external auditing, now is a great time to revisit it. Compare your “before” and “after” honestly — and be specific. What improved measurably? What became easier? What still feels awkward? That sort of reflection is one of the fastest ways to turn training into competence.

Your career as an auditor starts now

Auditing can be a tough gig. It’s often misunderstood, sometimes unappreciated, and occasionally treated like an inconvenience — right up until something goes wrong and everyone suddenly remembers why audit exists. If you’ve ever felt like the “messenger who gets shot”, you’re not alone.

At SQMC, we look after our students. We don’t see you as a one-week transaction — we see you as part of the profession. Many of our learners stick with us throughout their careers because they come to view SQMC as an ally: a steady, practical voice you can return to when you need clarity, confidence, or a second opinion.

If you’re back at work and you’re planning an audit, writing an agenda, building checklists, dealing with an awkward nonconformity, or trying to close-out NCRs without starting a small civil war — you can contact us. We’ll help you think it through, pragmatically.

Authoritative industry resources

For ongoing reference (and to keep your practice aligned with current expectations), these sites are widely recognised across the conformity assessment and management systems world:

Tip: standards and schemes evolve. When something feels “off” between what you remember and what you’re seeing in practice, check the current version of the relevant scheme requirements and supporting guidance.

 

Table of Contents ↑

 

 

A word about where this manual came from

ian-hannah-sqmc

 

Much of what you’ve read in this technical manual was compiled and refined over decades by Ian W. Hannah (1939 - 2025), the founder of SQMC. Ian was widely respected — not only by clients and students, but also by peers and (yes) even competitors — for his subject knowledge, vast practical experience, and a gift for making complex auditing topics clear through engaging, memorable anecdotes.

More importantly, he was known as a genuinely lovely gentleman: the kind of professional who could be firm on requirements without ever forgetting the human being on the other side of the table. For around 25 years, Ian wrote and maintained SQMC’s technical manuals, and a significant portion of what’s published here reflects that legacy of clarity, practicality, and professionalism.

 

 

Stay in touch

We hope you enjoyed your Lead Auditor training and your time with us at SQMC. If you were given a course evaluation form, please complete it and return it to your tutor — it’s a genuinely useful continuous improvement tool for us, and it also supports our annual accreditation surveillance activities.

Questions later? If you have any questions relating to auditing practice, quality systems, or anything in this manual, contact us.

Good luck — not just with passing an exam, but with becoming the kind of auditor people trust: fair, prepared, evidence-led, and helpful.

 

© Scottish Quality Management Centre (SQMC). This material is protected by copyright. Reasonable quotation for educational and reference purposes is permitted with appropriate attribution. Reproduction beyond this requires written consent from the SQMC Board.

Table of Contents ↑