Anda di halaman 1dari 38

Astute Consulting

1



PRESENTATION ON
INTERNAL AUDITING OF
MANAGEMENT SYSTEMS
Astute Consulting
2
Introduction
=====================================================
ISO 19011:2002 - Guidelines for Management Systems Auditing
Principles for Auditing
Managing an Audit Programme
Audit Activities
=====================================================
Exercise


STRUCTURE OF PRESENTATION
Astute Consulting
3
Management Systems based on International Standards emphasize on
importance of Audits as:
A management tool for monitoring and verifying effective
implementation of an organizations policy.
An essential part of Conformity Assessment activities like -
Certification
Supply-chain evaluation
Surveillance

ISO 19011:2002 provides guidance to conduct audits for:
Quality Management Systems
Environmental Management Systems
Other audit-related requirements (e.g.. OHSAS 18001)
INTRODUCTION
Astute Consulting
4
Audits can be categorized as:
System audit (management systems like ISO, TQM, CMMi, etc.)
Process audit ( Single process is selected)
Product audit (like CE, ISI, etc.)
First-party audit OR Internal Audit
Second-party audit (by customers or on their behalf)
Third-party audit OR External Audit (by independent auditing
organizations for certification,)
Compliance audit (by government authorities for legal compliance)
Pre-assessment audit (Stage - 1 audit)
Certification audit (Stage - 2 audit)
Surveillance audit

TYPES OF AUDIT
Astute Consulting
5
OBJECTIVES OF INTERNAL AUDIT
To monitor conformance to:
Documented system in operation
Requirements of management systems


To determine effectiveness of implemented management system in
meeting the specified IMS objectives

To provide the auditee with an opportunity to improve the system

To meet the regulatory requirements
Astute Consulting
6
SECTIONS 1 & 2

SECTION 1: Scope
Guidance on principles of auditing, managing audit programmes,
conducting management system audits

SECTION 2: Normative references
ISO 9000:2000 (Quality Management Systems Fundamentals &
vocabulary)
ISO 14050:2002 (Environmental Management - Vocabulary)

Audit Scope
Documentation
Processes & sub-processes
Products
Materials

Infrastructure
Human resource
Astute Consulting
7
SECTION 3

SECTION 3: Terms and definitions

Audit Systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled

Audit criteria Set of policies, procedures or requirements (viz. IMS
requirements)

Audit evidence Records, statements of fact or other information,
which are relevant to the audit criteria (qualitative or quantitative)

Auditee Organization / department being audited

Auditor Person with competence to conduct an audit

Technical expert Person who provides specific knowledge or
expertise to the audit team (TE is not an auditor)
Astute Consulting
8
SECTION 4

PRINCIPLES OF AUDITING
Astute Consulting
9
SECTION 4
Principles of Auditing

Auditing principles are :

Auditor related

Ethical Conduct: Foundation of professionalism (trust, integrity,
confidentiality and discretion)
Fair Presentation: Report truthfully and accurately (audit findings, audit
conclusions, audit reports, obstacles encountered, etc. are to be
reported)
Due Professional Care: Application of diligence and judgement in
auditing


Audit related

Independence: Basis for impartiality of audit and objectivity of audit
conclusions
Evidence-based Approach: Rational method for reaching unreliable
and reproducible audit conclusions in a systematic audit process
(appropriate use of sampling)
Astute Consulting
10
BASIC APPROACH TO AUDITING
HORIZONTAL
AUDITING
This examines one element in a process on more than
one item. It is a detailed check of a particular aspect of
the documentation and implementation of the
management system
VERTICAL
AUDITING
Examines more than one element in a process, on one
item. It is a detailed check that all elements associated
with a chosen standard are implemented.
RANDOM AUDITING
Examining aspects as determined by the auditor and /
or as need based (Process audit; e.g. retail front-end
audit)
FORWARD OR
BACKWARD
AUDITING
Examining sequentially forward or backward from the
starting point according to the process / operations
(e.g. Purchasing>>Store>>Production>>Sales OR
Sales>>Production>>Store>>Purchasing)
Astute Consulting
11
SECTION 5

MANAGING AN AUDIT PROGRAMME
Astute Consulting
12
SECTION 5
Managing an Audit Programme

General:


The Audit Programme to include all activities necessary for

Planning & organizing types & number of audits
Providing resources to conduct them effectively & efficiently within the
specified time-frames



Personnel assigned the responsibility should

Establish, implement, monitor, review and improve the audit programme
Identify the necessary resources and ensure they are provided

Astute Consulting
13
SECTION 5

Objectives of an audit programme:

Objectives to be based on the consideration of

Management system requirements

Statutory, regulatory and contractual requirements

Customer requirements

Needs of other interested parties

Risks to the organization
Astute Consulting
14
SECTION 5
Audit Programme Objectives and Extent

Extent of an Audit Programme:

The extent can vary & will be influenced by:

Conclusions of previous audits or
results of review

Concerns of interested parties

Significant changes to an
organization or its operations
Standards, statutory, regulatory
& contractual requirements



Size, nature and complexity of
organization

Scope, objective and duration of
each audit

Frequency of audits

Number, importance, complexity,
similarity and locations of
activities

Astute Consulting
15
AUDIT FREQUENCY AND PLANNING

Internal Audits are conducted within an organization on a planned
interval to check the effectiveness of system.

The frequency and planning of audits need to be done considering the
following factors:




AUDIT PLANNING
Scope of audit
Size of organization
Scale of operations
Number of departments / functions
Active documentation to be reviewed
Experience of the internal auditors
AUDIT
FREQUENCY
Nature of activities
Time required for planning and reporting of audit
Astute Consulting
16
SECTION 5

Audit Programme Responsibilities, Resources and Procedures

Audit program responsibilities:





Person responsible for managing an audit programme should
Establish objectives and extent of audit programme
Establish responsibilities and procedures
Ensure resources are provided
Ensure implementation of audit programme
Ensure that appropriate audit programme records are maintained
Monitor, review and improve the audit programme




Astute Consulting
17
SECTION 5
Audit Programme Responsibilities, Resources and Procedures

Audit program :

The audit programme should include the following

Audit planning
Audit scheduling
Selection of appropriate audit teams
Assigning roles and responsibilities to the audit teams
Conducting audits
Maintaining audit records
Monitoring performance & effectiveness of audit programme
Reporting to top management on the overall achievements of the audit
programme
Astute Consulting
18
SECTION 5
Audit Programme Records


Individual audit records:
Audit plans
Audit reports
Nonconformity reports
Corrective action reports





Astute Consulting
19
SECTION 5
Audit Programme Monitoring & Reviewing






The review of audit programme should consider

Results and trends from monitoring
Conformity with procedures
Audit programme records
Alternative or new auditing practices
Consistency in performance between audit teams in similar situations




Astute Consulting
20
SECTION 6

AUDIT ACTIVITIES
Astute Consulting
21
SECTION 6
Initiating the Audit

Defining Audit Objectives, Scope and Criteria:

Audit objectives defined and may include
Determination of extent of conformity of management system with the audit criteria
Ensure compliance with statutory, regulatory & contractual requirements
Evaluation of effectiveness of management system in meeting specified objectives
Identification of areas for potential improvement of the management system





Audit scope describes extent & boundaries of audit like
Physical locations
Organizational units
Activities & processes to be audited
Time period



Audit criteria are used as reference against which conformity is determined like
Applicable policies & procedures
Standards, laws and regulations
Management system requirements
Contractual requirements
Industry specific codes


Astute Consulting
22
SECTION 6

Preparing the Audit plan:

Audit team leader to prepare an Audit Plan for the internal audit
It must cover the following
Audit objectives, audit criteria and reference documents
Audit scope, including identification of functional units & processes to be audited
Dates, places, expected time & duration of on-site audit activities including
meetings within audit team & with auditee
Allocation of appropriate resources to critical areas of audit
Identification of auditee





Astute Consulting
23
SECTION 6
Conducting Audit Activities

Communication during the audit:

The audit team leader must confer periodically to exchange information, assess audit
progress, and to reassign work between audit team members as needed.
The audit team leader should periodically communicate progress of audit and any
concerns to the auditee, as appropriate
Evidence collected during the audit that suggests immediate and significant risk
should be reported to the auditee without delay
Concern about any issue outside the audit scope should be reported to the audit team
leader for possible communication to the auditee

Astute Consulting
24
SECTION 6
Conducting Audit Activities

Collecting and Verifying Information:

All information related to the following needs to be collected
Audit objectives
Audit scope
Audit criteria
Interfaces between functions, activities & processes

All such information must be collected through sampling methodology and should be
verified as only verified information can be considered as audit evidence
Audit evidence must be recorded
Methods to collect information include
Interviews
Observation of activities
Review of documents
Astute Consulting
25
METHODS OF COLLECTING INFORMATION



INTERVIEWS
Interview the persons / employees who are involved in the activities
Asking questions like describe your work, list all activities. etc.?
OBSERVATION
Looking at various constituents like
1. Processes, sub-process, activities: inputs, outputs, measurement criteria,
process owner, interrelation, interaction, etc.
2. Materials, equipments, tools: storage facilities, disposal facilities, work
instructions, signages, infrastructure, etc.
3. Products / Services: attributes, characteristics, usage, disposal, control
measures, etc.
4. Human resources: competency, training, awareness, skills, etc.
DOCUMENTATION
Examining all related documentations like
1. Policies & procedures
2. Planning documents
3. Work instructions
4. Inspection / test data, specifications, failure reports
5. Contracts / orders, licenses, permits
6. Minutes of meetings, audit reports, calibration records, etc.
7. Customer feedback, external ratings, etc.
Astute Consulting
26
TYPES OF QUESTIONS TO BE ASKED




DIRECT QUESTIONS
What is the procedure followed for maintenance of GTC?
What is the procedure used for calibration of instruments?
What is the method of checking quality or quantity of NG?
When do you feed an FIR / FAR onto the online portal?
GENERAL QUESTIONS
Addressed to the entire group giving participants a chance to ask a
question like -
1.What do you understand by IMS?
2.How do you ensure adherence to HSE requirements?
OPEN QUESTIONS
Use search and probe for the unknown like -

1. How do you do the inspection of pipeline?
2. How do you find your customers requirements?
3. What is the document control procedure?
4. What is the escalation matrix for HSE issues?
CLOSED QUESTIONS
Used to check known or expected facts such as

1. What are the legal compliances that you adhere to?
2. Did you check the parameters effectively before custody transfer?
3. Have you issued the work permit for welding?
Astute Consulting
27
SECTION 6

Conducting Audit Activities

Generating Audit Findings:

Audit evidence to be evaluated against the audit criteria to generate audit findings
Audit findings can indicate either Conformity or Nonconformity with audit criteria
The audit findings can identify opportunity for improvement in accordance with the
audit objectives
For each Conformity
Summarize to indicate locations, functions or processes
Supporting evidence to be recorded along with the each audit finding
For each Nonconformity

Supporting evidence to be recorded along with the each audit finding
Review with auditee for acknowledgement
Record unresolved points
Astute Consulting
28
SECTION 6
Preparing the Audit Report

Preparing the audit report:

The audit report must be complete, accurate, concise and clear and include the
following -

Audit scope & objectives
Identification of auditee, departments, functions audited
Dates, places of on-site audit activities
Audit criteria, findings & conclusions
Audit plan
List of auditors
Checklist, non compliances, observations
Summary of audit process
Recommendations for improvement


Astute Consulting
29
OVERVIEW OF INTERNAL AUDIT PROCESS
PROCESS OWNER ACTIVITY
SCHEDULING
MR
Maintain schedule of audit
Monitor schedule of audit
CONDUCTING
Auditor Conduct audit
REPORTING
Auditor
Prepare Nonconformity report
Discuss the Internal Audit Report
RCA
Auditee
Agree to the audit findings
Refer recommendations
Plan for Corrective actions
CA
Auditee
Take Corrective actions
Feedback of CA to MR
Monitor implementation of CA
Verification of CA
MR
MR
Follow Up of CA in next audit
Report for Management review
Measure IMS performance
Astute Consulting
30
PERFORM THE AUDIT
PROCESS ACTIVITY
SAMPLING
Sample a variety of
- People
- Records
- Documentation
- Procedures
- Work instructions, etc.
Sample size varies (usually 3-5)
Auditor to pick samples randomly i.e. 15-Aug-
2010: Check PO details # 150810

Take notes on checklist instead of taking
copies unnecessarily
INFORMATION
CAPTURING
Record information like
- Observations & Quotes
- Document information (name,
number, revision, date, etc.)
- Auditee names, area audited
- Non-conformities, if any
Observations: Notes made by an auditor
during assessment may lead to non-
compliances being raised or to provide
information for the audit report
NONCONFORMI
TY
IDENTIFYING
Identify any deviation from specified
requirements like
- Contract or purchase order
- IMS Manual, SOPs, SMPs
This must be done based only on
objective evidence
Nonconformity: The non-fulfillment of specified
requirements i.e. IMS (ISO 9001:2008, ISO
14001:2004, OHSAS 18001:2007)
Astute Consulting
31
PERFORM THE AUDIT
PROCESS ACTIVITY
NONCONFO
RMITY
CAPTURING
Capture a Nonconformity when
- The procedure, or lack of, does not
comply with the requirement of the
standard
- Practice does not match the
procedure
- Procedure or practice is not
effective in producing the required
output
Consider the seriousness of
Nonconformity
- What is the impact on product /
service / environment / health &
safety, etc.
- What could go wrong if the
Nonconformity persists?
- What is the likelihood of error?
- Is there a breakdown in the system?
NONCONFO
RMITY
REPORTING
Writing & Wording of NCRs
- Written NCs must be unbiased by
stating the: Requirement, Deviation &
Observation
- Justified and factual information to
avoid challenge of findings
- Important areas to look for like:
1. Management Commitment
2..Competence
3. Communication
4. Continual Improvement
Objectives of NCR
- Used to report audit findings
- Must be factual
- Must be understandable & traceable
- Raise non-compliances on completion
of audit
- Allow auditee to implement CA prior to
closing meeting
- Auditee requested to sign signifying an
understanding & acceptance of NCs
Astute Consulting
32
PERFORM THE AUDIT
PROCESS ACTIVITY
CATEGORISING
NONCONFORMI
TY
Major
- Single major NC related to system,
product or service
- Lack of procedures needed to satisfy
an agreed requirement
- Non-implementation of documented
procedures and arrangements
- Series of minor NCs in a particular
area / activity that can collectively have
an adverse impact on product, service,
environment or health & safety
Minor
- Minor discrepancies in documentation
- Minor discrepancies in procedures
- Minor discrepancies in implementation
- Minor discrepancies against defined
system,
procedures, criteria at acceptable
levels, but
having scope for better demonstration
of
adherence to IMS requirements
REPORTING
Write report with NC as problem to be
solved (not as a solution) like
- YES: NC material was found near
goods storage area
- NO: NC material area needs to be
designated
Reporting Hints:
- What is the problem?
Describe clearly, concisely & factually
- Why is it a non-compliance?
i.e. against which requirement
- Where did it occur?
i.e. which department or activity
- Who was / is responsible?
i.e. Avoid apportioning blame by naming
people
Astute Consulting
33
PERFORM THE AUDIT
PROCESS ACTIVITY
CLOSURE
Corrective Action Plans
- Auditee to submit a CAP within an
agreed time frame
- To include:
1. RCA
2. Responsibility
3. Timeline, etc.
Auditor to review proposed CAP for
- Adequacy
- Timeliness
- Completeness of documentation
Auditor to verify effectiveness of CA
Closing of NC
Exercise:

Identify Nonconformities for the given Case study
Astute Consulting
34
CORRECTIVE ACTION RESPONSIBILITIES
Nonconformity
Raise NCR Sign Agreement Categorise
Report at
Closing Meeting
Auditor Auditor Auditee Lead Auditor
Propose C/A
Accept/ Reject
Proposed C/A
Implement C/A
Auditor Auditee Auditee
Monitor Effective
Action
Complete Action
Taken Section
Review Action
Taken
Reject Action
Taken or Close NCR
Auditor Auditor Auditee Auditee
Astute Consulting
35
SECTION 7

COMPETENCE OF AUDITORS
Astute Consulting
36
SECTION 7
Personal Attributes

Auditors should possess attributes that enable them to act in accordance with principles of
auditing


Diplomatic
A good judge
Industrious
Analytical
Listener
Able to
communicate well
Unbiased
Honest
Interested
Patient
Self disciplined
Open minded
Inquiring
Professional
Articulate
Trained
Not afraid of
unpopularity

Cynical
Undisciplined
Deaf
Impatient
A quitter
A nit picker
Poor at communication
Dishonest
Argumentative
Anxious to please
Self - opinioned
Easily influenced
Too rigid
Astute Consulting
37
SECTION 7
Knowledge and Skills
Auditors should have knowledge and skills in the following areas -


Audit principles &
procedures
Audit planning
Conducting audit
Information
gathering
Sampling
techniques
Observation skills
Audit reporting
Communication
Confidentiality
Application of
management
systems
Application of
reference
documents
Information
technology
Understanding of
organizational/
cultural
differences

Generic Knowledge
Organizing capacity
Direction & guidance
Resolving conflicts

Specific Knowledge
Quality tools
Environmental
terminology
OH&S practices
Technical skills
Astute Consulting
38