Upload
ngotram
View
218
Download
0
Embed Size (px)
Citation preview
TC176/IAFISO 9001:2000
Auditing Practices Group
The ISO 9000 Advisory Group identified auditor competence as a critical issue when ensuring the credibility of ISO 9001:2000 certification.
Auditing Practices Group established in February 2003.
Participants
Experts nominated by:-• IAF (CRBs, ABs, Industry)• ISO TC/176(WG Int, SC1, SC2, SC3)• ISO CASCO
Aims of the Group1. Development of examples of good auditing
practices related to requirements of ISO9001: 2000 and guidelines of ISO19011: 2002
2. Development of a website where papers and examples of auditing practice against the requirements of ISO 9001:2000 are posted and available to the public without charge.
3. The information provided by the Group does not constitute IAF or ISO endorsed benchmarks or interpretations of the preferred way conformance to ISO 9001:2000 is audited.APG-Introduction.doc
Topics• The need for a 2-stage approach to auditing • Measuring QMS effectiveness and improvements • Identification of processes • Understanding the process approach • Determination of the “where appropriate” processes • Auditing the “where appropriate” requirements • Demonstrating conformity to the standard • Linking an audit of a particular task, activity or
process to the overall system
Topics• Auditing a QMS which has minimum documentation • How to audit top management processes • The role and value of the audit checklist• Scope of ISO 9001:2000, scope of quality
management system and defining scope of certification
• How to add value during the audit process• Auditing competence of personnel and the
effectiveness of actions taken• Auditing statutory and regulatory requirements
Topics• Auditing quality policy and quality objectives• Auditing the control of monitoring and measuring
devices• Effective use of ISO 19011:2002• Auditing customer feedback processes• Documenting a nonconformity• Reviewing and closing a nonconformity• Auditing preventive action• Auditing continual improvement
Topics
• Auditing service organizations
• Auditing Internal Communication
• Third party auditor impartiality and conflict of interest
• Auditing the effectiveness of the internal audit
• Auditing Electronic-Based Management Systems (EBMS)
Topics
• Auditing the Design and Development Process
• Auditor Code of Conduct and Ethics
• Auditing the Management of Resources
Accreditation Auditing Practices Group (AAPG) Topics
• The Witnessing of CRB Audits by an Accreditation Body
• “Process approach" based accreditation audits
• Auditing the competence of quality managementsystem certification/registration body auditors and audit teams
The need for a 2 stage approach to auditing
• Auditing to ISO 9001:2000 requires a good understanding of the business and QMS
• The primary purpose of the 1st stage audit
• Activities performed during the 1st stage audit
APG-2stage.doc
Measuring QMS effectiveness and improvements
(Open presentation)
Microsoft owerPoint Presentatio
Identification of Processes• Can the auditee distinguish between processes and
activities?
• Be able to adapt to the auditee’s situation
• Determine if there is a problem with difference in terminology
• Determine if there is a real lack of implementation of the process approach
APG-IdentifyProcesses.doc
Understanding the process approach (1)
The Auditor should realise several steps are needed• Determine the processes and responsibilities needed
to attain objectives• Determine and provide adequate resources and
information• Establish and apply methods to monitor and analyse
processes• Establish and apply a process for continual
improvement
Understanding the process approach (2)
The Auditor also needs to:-• Be aware that application of the process approach
will be different from organization to organization• Understand the process approach to a level beyond
the terminology of the standard• Consider small & medium enterprises who may not
need many processes• Ensure that misunderstandings are identified and
resolved during the 1st stage audit
Understanding the process approach (3)
The Auditee needs to consider:-• Establishment of process objectives• Process planning• Availability of suitable records
Redefinition of processes during the 1st stage audit can identify activities incorrectly described as processes
APG-UnderstandProcessApproach.doc
Determination of the “where appropriate” processes
• Terminology• Definition of process• Exclusions
APG-DetermineWhereAppropriate.doc
Auditing “where appropriate”requirements (1)
• Determine the application of ISO 9001:2000• Ensure “where appropriate” requirements are
appropriate• Does the requirement add value?• Does it increase the risk of not meeting customer
requirements?
Auditing “where appropriate”requirements (2)
Need for experience to make a judgement on a technical issue
• Sector knowledge• Competence • Auditing skills• Knowledge of the processes• Objective evidence
APG-AuditWhereAppropriate.doc
Demonstrating conformity to the standard
• Auditing processes versus auditing to the standard's clauses
• Audit checklists may not be sufficient• What is adequate sampling?
APG-DemonstrateConformity.doc
Linking an audit of a particular task, activity or process to the
overall system
• Overall direction of the audit• Interaction of processes• Importance of processes• Take samples
APG-AuditofTasktoSystem.doc
Auditing continual improvement
• How much improvement is “enough”? • What sort of information is relevant and where can
we find it? • Improvement of the process or improvement of the
QMS?
APG-AuditContinualImprovement.doc
Auditing a QMS which has minimum documentation
The necessity for any documentation should be evaluated in the light of:• the observed need for consistency• the role that any documentation could play
in avoiding any significant, identified risks.
APG-MinDocumentation.doc
How to audit top management processes
• Identifying top management processes• Conducting the audit• Audit reporting
APG-AuditTopManagement.doc
The role and value of the audit checklist
• Need for checklists• The use of audit checklists• Advantages• Disadvantages• Conclusion
APG-Checklist.doc
Scope of ISO 9001:2000, Scope of Quality Management System (QMS) and Defining
Scope of Certification
• ISO 9001:2000 clause 1 Scope defines the scope of the standard, not to be confused with QMS scope
• The scope of a QMS should be based on the:– nature of products and realization processes – result of risk assessment– commercial considerations – contractual, statutory and regulatory requirements– ISO 9001:2000 clause 1.2 Application
• Scope of registration/certificationAPG-Scope.doc
How to add value during the audit process (1)
• “Value-added” quality management systems• Value-added auditing
Maturity of “Quality culture”
Mat
urity
of Q
MS
Mat
urity
of Q
MS
LowLow HighHigh
““ Non
Non
-- con
form
ing”
conf
orm
ing”
“Con
form
ing”
Zone 1 Zone 2
Zone 3 Zone 4
How to add value during the audit process (2)
Some tips for Value-added auditing• Audit planning• Audit technique• Analysis and decision• Report and follow-up
APG-HowtoAddValue.doc
An organization will need to:• Identify what competencies are required• Identify which personnel already are competent• Decide what additional competencies are required• Decide how these are to be obtained • Train, hire or reassign personnel• review competence of personnel
Auditing 'competence' and 'effectiveness of actions taken'
(1)
Auditing 'competence' and 'effectiveness of actions taken‘
(2)Auditor would seek evidence of:• Identification of competencies required• Assignment of competent personnel• Evaluation of the effectiveness of actions taken• Maintenance of competence
APG-AuditingCompetence.doc
Auditing statutory and regulatory requirements
• An organization must identify and control the statutory and regulatory requirements applicable to its products (including services).
• Evidence should be obtained that these requirements are being satisfied
APG-StatutoryRegulatory.doc
Auditing quality policy and objectives (1)
Auditing quality policy• Interview top management to verify that the
organization’s overall quality objectives have been defined
• Evaluate commitment and involvement• Have management disseminated the policy
throughout the organization?• Determine awareness among personnel at all levels
Auditing quality policy and objectives (2)
Auditing quality objectives• Verify that the organization’s overall quality objectives
have been defined• Do they reflect the quality policy?• Are they coherent, aligned and compatible with the
overall business objectives, including customer expectations?
APG-QualityPolicyandObjectives.doc
Auditing the control of monitoring and measuring
devicesIt is important for the auditor to understand the
differences between:-• “monitoring” and “measurement”, and • “equipment” and “devices”.
The different sub-clauses of the standard refer to all of these in isolation and together so clause 7.6 should be read carefully.
APG-ISO9001Clause7.6.doc
Effective use of ISO19011:2002
The standard contains guidance on:-• The principles of auditing• Managing an audit programme• Audit activities• Competence and evaluation of auditors
APG-EffectiveUseofISO19011.doc
Auditing customer feedback processes
• What are the requirements?
• What should be addressed when auditing customer feedback processes?– Prior to the audit of the customer feedback
process (preparation stage)– During the process assessment
APG-CustomerFeedback.doc
Documenting a nonconformity
• What is a nonconformity?
• Identify and document the audit evidence• Determine the requirement• Write the statement of nonconformity
APG-DocumentNonconformity.doc
Reviewing and closing a nonconformity
Auditors not only write nonconformities but are also responsible for the review of the response to the nonconformity
• Correction• Determination of cause• Corrective action• Objective evidence• Closing nonconformitiesAPG-ReviewNonconformity2.doc
Auditing preventive actionHow the organization:• Determines potential nonconformities &
causes• Evaluates the need for preventive action• Determines action required & how it is
implemented• Records results of actions taken• Reviews preventive actions taken
“Philosophical” discussion - auditor and auditeeAPG-ReviewNonconformity2.doc
Auditing service organizations• Design and development of the service• Validation of processes for production and
service provision• 2 types of Services
- those involving the customer in the realization of the service itself (real time delivery) and
- those in which the output is delivered to the customer after the realization of the process
• Control of nonconforming product
Auditing Internal Communication
• Identification of the people between whom the communication is to occur
• Information to be communicated• Means by which this is to be achieved• Methods selected to monitor its effectiveness• Documentation and records necessary to verify it
has occurred
Third party auditor impartiality and conflict of interest
• CRB commitment to impartiality• Threats to auditor impartiality• Safeguards to auditor impartiality• Assessing the level of impartiality risk• Determining the acceptability of the level of
impartiality risk• Organizational and structural issues
Auditing the effectiveness of the internal audit
Issues to evaluate :• the competencies that are needed for and applied to
the audit • the risk analysis performed by the organization (if
any) in planning internal audits• the degree of management involvement in the
internal audit process • the way the outcome of the internal audit process is
used by the organization to evaluate the effectiveness of its QMS and to identify opportunities for improvements.
Auditing Electronic-Based Management Systems (EBMS)
• Audit Initiation and Planning• Document Review• On-Site Realization Activities• Auditing the Control of Electronic Documents• Auditing the Control of Electronic Records• Organizational Resources• Internal and External Electronic Communication• Multi-Site Management Systems• Auditor Competence
The Witnessing of CRB Audits by an Accreditation Body
• Pre-audit preparations
• During the audit
• Feedback and reporting of results
“Process approach" based accreditation audits
• CRB objectives
• Typical processes of CRBs
• Example of questions to be asked by an AB during a process based audit
Auditing the competence of quality management
system CRB auditors and audit teams
• Evaluation of auditor qualifications and competence• Personal attributes • Generic knowledge and skills• Processes and products• Size of Organizations• Culture and Language• Legal, statutory, and regulatory requirements• Evaluation of competence requirements• Deployment of a team of competent auditors
Copies of the guidance documents referred to in this presentation can be obtained from:
www.iaf.nuwww.iso.org/tc176/ISO9001AuditingPracticesGroup
Comments on the papers or presentations can be sent to the following email address:
Feedback from users will be used by the ISO 9001 Auditing Practices Group to determine whether additional guidance
documents should be developed, or if these current ones should be revised.
DisclaimerThese papers have not been subject to an endorsement
process by the International Organization for Standardization (ISO), ISO Technical Committee 176, or the International Accreditation Forum (IAF).
The information contained within them is available for educational and communication purposes. The ISO 9001 Auditing Practices Group does not take responsibility for any errors, omissions or other liabilities that may arise from the provision or subsequent use of such information.
Thank you!
Auditing Practices Group &
Accreditation Auditing Practices Group