100% found this document useful (1 vote)

181 views60 pages

ISO 13485 IA Course Manual 0-12 Merged R01.00

This document is a training manual for the ISO 13485:2016 Internal Auditor certification course. It provides an overview of quality management systems, auditing standards and procedures, and guidance for planning and conducting internal audits. The manual covers topics such as fundamentals of quality management, requirements of ISO 13485, auditor competencies, developing an audit program, audit planning, and audit activities. The goal is to train auditors to evaluate conformity and effectiveness of their organization's quality management system in complying with ISO 13485.

Uploaded by

Joe Mashinya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

181 views60 pages

ISO 13485 IA Course Manual 0-12 Merged R01.00

Uploaded by

Joe Mashinya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 60

Training Manual

ISO 13485:2016

INTERNAL QMS AUDITOR TRAINING

Certified Training Course

ISO 13485:2016 Internal Auditor – Training Manual

Table of Contents
Welcome to your CQI / IRCA Certified - ISO 13485:2016 Internal Auditor course ................................ 5
About the CQI and IRCA .................................................................................................................... 5
1. Course Objectives ......................................................................................................................... 6
2. Fundamentals of Quality ............................................................................................................... 7
Fundamental Concepts ..................................................................................................................... 7
How Is Quality Achieved? ................................................................................................................. 8
Relationship Between ISO 13485 And Product / Service Quality ...................................................... 9
Benefits of a Quality Management System ....................................................................................... 9
3. Introduction to Quality Management System Standards ............................................................ 10
Sector-Specific Standards ............................................................................................................... 10
Integrated Management Systems ................................................................................................... 11
Registration Systems ....................................................................................................................... 11
Seven Quality Management Principles ........................................................................................... 12
Developing a Quality Management System Using the Fundamental Concepts and Principles: ...... 13
Process Approach and Organisational Structure............................................................................. 14
4. ISO 13485:2016 Summary of Requirements ............................................................................... 15
Summary of key requirements of ISO 13485:2016 ......................................................................... 15
5. Introduction to Quality Auditing ................................................................................................. 19
ISO 19011:2018............................................................................................................................... 19
What is Auditing? ............................................................................................................................ 19
Seven Principles of Auditing............................................................................................................ 20
The Internal Audit Requirements of ISO 13485:2016 ..................................................................... 21
Purpose of Auditing ........................................................................................................................ 21
Types of Audits ............................................................................................................................... 22
Certification Audits ......................................................................................................................... 22
Human Elements of Auditing .......................................................................................................... 23
Managing an Audit Program ........................................................................................................... 24
Determining and Evaluating Audit Programme Risks and Opportunities ........................................ 25
Managing Audit Programme Results............................................................................................... 26
Managing and Maintaining Audit Programme Records .................................................................. 26
Monitoring Audit Programme ......................................................................................................... 27
Reviewing and Improving the Audit Programme ............................................................................ 27
ISO 19011:2018 Process Flowchart for Auditing ............................................................................. 28
6. Planning the Audit Programme ................................................................................................... 29

Initial Stages of the Life Cycle ......................................................................................................... 29

How Much Auditing? ...................................................................................................................... 29
Auditor’s Responsibilities ................................................................................................................ 29
Auditor Selection ............................................................................................................................ 30
Auditor Competence and Evaluation of Auditors ........................................................................... 30
Determining Auditor Competence .................................................................................................. 31
Personal Behaviour ......................................................................................................................... 31
Auditor Knowledge and skills .......................................................................................................... 31
Discipline and Sector-Specific Competence of Auditors ................................................................. 32
Audit Scope and Schedule / Frequency........................................................................................... 35
Frequency of Audits ........................................................................................................................ 36
7. Audit Preparation (Planning)....................................................................................................... 37
Risk Based Approach to Planning .................................................................................................... 37
Process Approach ........................................................................................................................... 38
Critical Success Factors ................................................................................................................... 38
Audit Plan........................................................................................................................................ 38
Initial Auditee Contact .................................................................................................................... 39
Studying Data and Documentation ................................................................................................. 39
No Formal System ........................................................................................................................... 39
Work Documents ............................................................................................................................ 40
Audit Checklists ............................................................................................................................... 40
Teamwork ....................................................................................................................................... 41
Classification of a Non-Conformity ................................................................................................. 41
Guidelines for Productive Meetings ................................................................................................ 42
8. Carrying out the Audit / Conducting Audit Activities .................................................................. 43
Opening Meeting ............................................................................................................................ 43
Auditing a Process ........................................................................................................................... 43
Audit Methods ................................................................................................................................ 44
Sequence for Audit ......................................................................................................................... 45
Auditing Effectiveness and Improvement ....................................................................................... 45
Next Level of Auditing ..................................................................................................................... 46
Applicable Audit Methods .............................................................................................................. 48
Communication............................................................................................................................... 48
Audit Trail ....................................................................................................................................... 50
Behaviour ........................................................................................................................................ 50

Conflict Management ..................................................................................................................... 50

Audit Sampling ................................................................................................................................ 51
What Is Adequate Sampling? .......................................................................................................... 51
Audit Evidence ................................................................................................................................ 52
Preparing for the Closing Meeting .................................................................................................. 52
Closing Meeting .............................................................................................................................. 53
9. Audit Report................................................................................................................................ 54
Include in the Audit Report ............................................................................................................. 54
Distributing the Audit Report .......................................................................................................... 54
10. Corrective Actions ................................................................................................................... 55
Corrective Action ............................................................................................................................ 55
Verifying Corrective Action ............................................................................................................. 55
11. Audit Program Review and Golden Rules ................................................................................ 56
Audit Programme Review and Improvement.................................................................................. 56
Golden Rules for Auditing ............................................................................................................... 56
12. Audit Guides and Certification Scheme for Quality ................................................................. 58
Management System Auditors ........................................................................................................... 58
Audit Guides ................................................................................................................................... 58
Auditor Certification ....................................................................................................................... 58
Help Us to Improve Your Experience .................................................................................................. 59

Approved Training Partner

CQI/IRCA

Welcome to your CQI / IRCA Certified - ISO 13485:2016 Internal

Auditor course

Irish Quality Centre (IQC) has been independently assessed and approved by the Chartered
Quality Institute (CQI) and the International Register of Certified Auditors (IRCA).
This ensures we have the processes and systems in place to deliver certified courses to the
highest standard.

About the CQI and IRCA

The CQI is the only chartered professional body dedicated entirely to quality.
IRCA is its specialist division dedicated to management system auditors.
Take the next step in your career and become a member. Join a unique global network of
nearly 20,000 quality professionals and gain unrivalled professional recognition as an
individual and in your career.
Find out more about the CQI and IRCA at www.quality.org

We hope you enjoy your course

1. Course Objectives

By the end of the course participants will be able to:

• Describe the purpose of a quality management system (QMS), and the benefits it brings to the
business.
• Understand the fundamental concepts of quality management and auditing and explain the
seven principles of quality management.
• Explain the relationship between quality management and customer satisfaction.
• Explain the purpose, content and inter-relationship of ISO 9000, ISO 13485, other relevant
QMS standards, ISO 9004 and ISO 19011.
• Understand the structure and key requirements of ISO 13485, and the process approach.
• Interpret the requirements of ISO 13485 in the context of an audit.
• Demonstrate the use of the Plan-Do-Check-Act cycle in management and auditing.
• Describe the role of internal audit in the maintenance and improvement of management
systems.
• Understand the different types of audits.
• Explain the seven principles of auditing.
• Describe managing an audit programme.
• Discuss the establishing and implementing of audit programmes and associated objectives.
• Describe the competence, assessment of and roles and responsibilities of auditors and lead
auditors.
• Plan and conduct an audit in accordance with ISO 19011, demonstrating ability to:
o Plan and prepare effectively
o Gather objective evidence, through effective interviewing, observation, sampling and
note taking.
o Analyse and interpret information in order to determine conformance with
requirements, effectiveness, and areas for improvement.
• Prepare and distribute and audit report (including writing valid, factual and value-adding audit
reports)
• Undertake audit follow-up activities, including evaluating the effectiveness of corrective
action.
• Explain how to monitor, review and improve the audit programme
During the two days participants will acquire knowledge and skills in auditing. However, auditing like
any other acquired skill requires practice. The best place to practice and extend your experience is
during actual audits.

2. Fundamentals of Quality

• Fundamental concepts
• How is quality achieved
• Relationship between ISO 12385 and Product/Service Quality
• Benefits of QMS
Fundamental Concepts

Quality management concepts give the organisation the capacity to meet challenges presented by an
environment that is profoundly different from recent decades. By providing fundamental concepts to
be used in the development of a Quality Management System (QMS), ISO 13485 provides a way of
thinking about the organisation more broadly.
The fundamental concepts outlined in ISO 9000 are:
• Quality
• QMS
• Context of an organisation
• Interested parties
• Support.
Quality
Quality is defined in ISO 9000 as the:

“degree to which a set of inherent characteristics of an object fulfils requirements”

A characteristic, for example can be,

• Physical, (e.g. mechanical, electrical, chemical or biological characteristics)
• Sensory, (e.g. related to smell, touch, taste, sight, hearing)
• Behavioural, (e.g. courtesy, honesty, veracity)
• Temporal, (e.g. punctuality, reliability, availability)
• Ergonomic, (e.g. physiological characteristic, or related to human safety)
• Functional, (e.g. maximum speed of an aircraft)
Requirements for example can be product requirements, quality management requirements,
customer requirements or quality requirements.
Quality Management System
ISO 9000 defines a QMS as:

“part of a management system with regard to quality”

A management system is a set of interrelated or interacting elements of an organisation to establish

policies and objectives, and processes to achieve those objectives.

Note 1: Quality Management includes

Quality
establishing the Quality Policy, Quality
Management Objectives, and Processes to achieve these
(see Note 1) quality objectives through Quality
Planning, Quality Assurance, Quality
Control, and Quality Improvement.
Quality Policy
Note 2: Generally, the Quality Policy is
(see Note 2)
consistent with the overall policy of the
organisation and provides a framework for
setting quality objectives. The seven
Quality Objectives quality management principles can form a
(see Note 3) basis for establishing the Quality Policy.
Note 3: Quality Objectives should be based
on the Quality Policy.
Quality Planning Note 4: Part of Quality Management
(see Note 4) focused on setting Quality Objectives and
specifying necessary operational processes
and related resources to fulfil the Quality
Quality Assurance
Objectives. (ISO 9000)
(see Note 5) Note 5: Part of Quality Management
focused on providing confidence that
quality requirements will be fulfilled. (ISO
9000)
Quality Control
(see Note 6) Note 6: Part of Quality Management
focused on fulfilling quality requirements.
(ISO 9000)
Quality Note 7: Part of Quality Management
Improvement
focused on increasing the ability to fulfil
(see Note 7) quality requirements.

How Is Quality Achieved?

Human
Resourc
Marketi Quality is achieved by the application of the closed-loop
ng
es
Plan-Do-Check-Act cycle at all levels in all business
processes and ensuring that these processes function as
Managem
ent
Sales a coherent system
Achievement of quality involves all stages of the Business
Supply
R&D
Chain Cycle.
Custom
er
On the right are some examples of some key business
Service processes.

Relationship Between ISO 13485 And Product / Service Quality

Product and service quality which meets

ISO 13485:2016 - Quality Management
customers’ and statutory/regulatory
System
requirements

Having ISO 13485:2016 means you can demonstrate capabilities of consistently meeting customers’
and applicable statutory and regulatory requirements.
• The requirements within ISO 13485:2016 are aimed primarily at enhancing customer
satisfaction through the effective application of the QMS.
• It is important to differentiate between requirements for quality management systems
(QMS) and requirements for products.
o Requirements for QMS are specified in ISO 13485:2016.
o Requirements for QMS are generic and applicable to all organisations.
• Requirements for products can either be specified by customers or by the organisation in
anticipation of customer requirements, or by regulation.
The requirements for products and, in some cases, associated processes, can be contained in:
• Technical specifications
• Product standards
• Process standards
• Contractual agreements
• Regulatory requirements
In all Quality Management Systems, the priority is the product or service of the organisation. Never
lose sight of the product/service when developing, implementing, improving and auditing a quality
management system.

Benefits of a Quality Management System

• Improved finances
o Lost opportunities in the marketplace if ISO 13485:2016 is a requirement
o Less waste through more effective and efficient processes
• Enhanced reputation through improved ability to satisfy Customers
• Greater internal clarity and confidence through:
o Setting of objectives
o Measurement of performance, and
o Feedback to employees on the effectiveness of processes
• Better trained employees
• Encourages open approach to problem solving through the corrective action process and
hence less likelihood of their repetition.

3. Introduction to Quality Management System Standards

• Sector-specific standards
• Integrated Management Systems
• Registration System
• Seven Quality Management Principles
• Developing a QMS
• Process Management

ISO 9004:2009: Quality

ISO 9000:2015: Quality management systems –
management systems - Managing for the
Fundamentals and sustained success of an
vocabulary (definitions) organization (continuous
improvement)

ISO 13485:2016: Quality ISO 19011:2019:

management systems - Guidelines for auditing
Requirements management systems
The ISO 9000
series of
standards

• ISO 13485 is the minimum requirements for a quality management system in MedTech
Industries
• ISO 9004 is intended to give guidance for sustaining success through continuous
improvement
• ISO 9000 provides the fundamental concepts, principles and vocabulary for quality
management systems and provides the foundation for other quality management systems
standards.
• ISO 19011 is used to set the guidelines for auditing management systems including the
quality management system
Sector-Specific Standards

• ISO 13485 (Medical Devices) • AS 9100 (Aerospace)

• ISO/TS 16949 (Automotive) • cGMP’s (Pharma and Medical
• ISO 22000 (Food) Devices)

Some of these sector-specific standards use the requirements within ISO 13485:2016 as the basic
requirements.

Integrated Management Systems

ISO 13485 -
Quality Different management systems can be
integrated into a single management
system using common elements, such as
the use of Annex SL, which specifies the
framework for a generic management
ISO 45001 -
Integrated system.
ISO 14001 -
Health and
Safety
Management Environment
• Integration can facilitate
System o Planning
o Allocation of resources
o Defining complementary objectives
o Evaluation of the overall
ISO 22200 -
Food effectiveness of the organisation.
• Integrated audits can save time and
money.
Registration Systems

Accreditation bodies are established in many countries

with the primary purpose of ensuring that conformity
assessment bodies are subject to oversight by an
Accreditation bodies authoritative body.
Examples of accreditation bodies are:

Certification / Registration • INAB (Irish National Accreditation Board)

bodies • UKAS (United Kingdom Accreditation Service)
• ANAB (ANSI – ASQ National Accreditation Board)

Organisations seeking The National Standards Agency of Ireland (NSAI) and the
certification to a standard British Standards Institute (BSI) are examples of
such as ISO 13485
certification bodies
ISO/IEC 17021-1:2016 contains principles and
requirements for the competence, consistency and
impartiality of bodies providing audit and certification of all types of management systems.

Seven Quality Management Principles

The requirements in ISO 13485:2016 are based on seven quality management principles.

Customer
Focus

Relationship Engagement
management of People

Leadership

Evidence-
based Process
decision Approach
making

Improvemen
t

• Customer Focus
o Organisations depend on their customers, and therefore, should understand current
and future customer needs, meet customer requirements and strive to exceed
customers’ expectations
• Leadership
o Leaders establish unity of purpose and direction of the organisation. They should
create and maintain the internal environment in which people can become fully
involved in achieving the organisation’s objectives
• Engagement of People
o Competent, empowered and engaged people at all levels throughout the organisation
are essential to enhance the organisation’s capability to create and deliver value
• Process Approach
o Consistent and predictable results are achieved more effectively and efficiently when
activities are understood and managed as interrelated processes that function as a
coherent system
• Improvement
o Successful organisations have an on-going focus on improvement
• Evidence-based decision making
o Decisions based on the analysis and evaluation of data and information are more
likely to produce desired results
• Relationship management
o For sustained success, organisations manage their relationships with interested
parties, such as providers.

Developing a Quality Management System Using the Fundamental Concepts and Principles:

Organisations share many characteristics with humans as a living and learning social organism. Each is
adaptive and comprises interacting systems, processes, and activities. In order to adapt to their
varying context, each needs the ability to change.
Organisations often innovate to achieve breakthrough improvements.
An organisation’s QMS model recognises that not all systems, processes and activities can be
predetermined; therefore, it needs to be flexible and adaptable within the complexities of the
organisational environment.
All organisations consist of systems, processes, and activities.
System
Organisations seek to understand the internal and
external context to identify the needs and
expectations of relevant interested parties. This
information is used in the development of the QMS to
achieve organisational sustainability. The outputs
from one process can be the inputs into other
processes and are interlinked into the overall system.
Many organisations have similar processes, such as
Sales and Purchasing, but each organisation and its
QMS is unique.

Processes
The organisation has processes that can be
defined, measured, and improved. These
processes interact with each other, and
cross functional boundaries to deliver
results consistent with the organisation’s
objectives. Processes have inter-related
activities, which take inputs (such as
manpower, material, method, and
machinery) and transforms them into
outputs.
Activities
People collaborate within a process to carry out their daily activities. Some activities are prescribed in
documented information, while others may not and react to external stimuli to determine their nature
and execution.
Development of a Quality Management System: A QMS is a dynamic system that evolves over time
through periods of improvement. A formal QMS provides a framework for planning, executing,
monitoring and improving the performance of activities. ISO 13485:2016 can be used to develop a
QMS which is flexible, based on the needs of the organisation and interested parties, and the
environment/context in which it operates.

The QMS does not need to be complicated, the simpler it is, the better it will be understood. A core
part of any QMS will be the adoption of the process-based approach. Refer to your Student Workbook
for examples of mapping processes
A process is defined in ISO 9000 as:
“a set of interrelated or interacting activities that use inputs to deliver an intended result”
Examples in business include:
The process approach is one of the seven quality management principles. The adoption of the process
approach is a key requirement in ISO 13485:2016 and must be in place in an organisation. The details
of how an organisation implements this requirement is at the discretion of the organisation.

Process Approach and Organisational Structure

Identification of Processes

• Identify product and service offerings to the customer(s)

• Key business processes are the different stages involved in realising the product/service
offerings
o Design
o Production
o Service Delivery
Different levels

• System (inter-related key business processes)

• Key Business Processes
• Sub Processes
• Activities
Have support processes, such as HR, Equipment Maintenance and IT Support been included?
Processes operate cross-functionally, where approximately 80% of problems happen at the interface
between functions.
All processes have some common characteristics:

• They have someone who is held accountable for how well the process performs (the process
owner)
• They have well-defined boundaries
• They have well-defined internal interfaces and responsibilities
• They have documented information
• They have training & development requirements
• They have measurement and feedback controls close to the point at which the activity is being
performed
• They have customer-related measurements and targets, such as service, quality and cost
• They have known cycle times
• They have formalised change procedures
Reference material on process management is available from the web links below or searching online
for: “Guidance on the concept of and use of the Process Approach for Management Systems”,
“Identification of Processes”, “Understanding the Process Approach”
www.iso.org/tc176/sc2 www.iso.org/tc176/ISO9001AuditingPracticesGroup

4. ISO 13485:2016 Summary of Requirements

Summary of key requirements of ISO 13485:2016
The new ISO 13485:2016 (published on February 25, 2016) specifies an effective framework to
implement requirements specific for medical technology organisations and related service providers. In
summary, there are basically five sections in the standard of the ISO 13485 where major changes have
been made:

Regulatory requirements
The first section establishes an emphasis on regulatory requirements that we see across the standard. This
includes not only the local requirements that apply to your facility, but if you are an organisation that
commercialises its products globally, you also need to take into consideration all relevant international
requirements. There are many references to this throughout the ISO 13485:2016 standard.

Risk management
Another theme that permeates the standard is the need to incorporate risk management into
all the main processes within your organisation.
Validation, verification, and design transfer

The ISO 13485:2016 standard puts a lot more structure into place surrounding these activities. You
must have plans in place and documented evidence to show what you have been doing for validation,
verification, and design transfer activities.

Outsourced processes and supplier control

The ISO 13485:2016 standard asks organisations to do a lot more when it comes to outsourcing
processes and putting into place controls for assessing your suppliers, again based on risk.

Feedback
Finally, the ISO 13485:2016 requires you to monitor and measure the performance of your quality
management system not only during production, but also post-market. You also must incorporate
those activities as part of your risk management process.
In addition, the new ISO 13485 standard is more flexible than the old. In the past, organisations could
only exclude section 7 requirements (on product realisation) and then only if they could justify their
decision. Now, they can exclude any requirement in sections 6, 7, or 8 if they can justify doing so
because of the nature of their activities or products.
QMS
The general requirements are that an organisation shall document a QMS and maintain its
effectiveness in accordance with ISO 13485 and regulatory requirements. A risk-based approach is
required. The focus is on identifying and managing processes necessary to achieve customer
satisfaction, regulatory requirements, and product safety.
Computer software used for the QMS must be validated prior to initial use and after any change is
made.

The documentation requirements include:

- documentation required by the organisation and
- documentation required by ISO 13485.
There are many examples throughout the standard where documented procedures are required,
including the control of nonconformity, corrective action, preventive action, internal audit, control of
documents and control of records.
A Quality Manual is necessary which describes the QMS in use within the organisation.

A Medical device file is required for regulatory purposes.

Documents and records need to be controlled. Documents must be approved, current, available
where required and adequately controlled. Control of records, required by the QMS, include
identification, storage, retrieval, protection, retention time and disposition.
In addition, the establishment of methods to protect confidential health information is also required.
Management Responsibility

Quality objectives shall be established utilising the PDCA concept, these should be documented, and
consistent with the Quality Policy. They hey should also based on RISK and be:
S: Specific
M: Measurable
A: Achievable
R: Results-orientated or Relevant
T: Timeframe
A plan needs to be in place on how to achieve the quality objectives.
Quality Policy (i.e. overall intentions) needs to be documented, communicated and understood.

Quality Planning includes the planning involved in identifying the processes of the QMS, the
resources needed to achieve the desired results (such as customer and regulatory requirements),
verification and validation activities, criteria for acceptability and, records required.

Planning must also ensure that change is carried out in a controlled manner.
Responsibilities and authorities shall be defined, documented and communicated.

A management representative must be appointed to:

• ensure that processes are established and maintained
• report on the performance of the QMS, and
• promote awareness of the QMS and regulatory requirements.
Communications relating to the QMS and its effectiveness are necessary.

A Management Review shall be carried out to ensure the continuing suitability, adequacy and
effectiveness of the QMS.

Resource Management
The organisation shall determine and provide the resources needed to establish, maintain and improve
the QMS processes, and to meet regulatory and customer requirements.
Personnel shall be competent.

The necessary training and development must be provided, and its effectiveness evaluated.

Infrastructure, such as buildings, workspace, equipment (hardware and software) and supporting
services shall be defined, provided and maintained.

The human and physical factors of the work environment needed to achieve product and service
conformity shall be defined and managed. This includes the controls relating to microorganisms and
particulate matter, as appropriate.

Product Realisation (Supply Chain Management)

In planning the processes such as design and production, the organisation needs to determine
controls such as risk management, objectives, product requirements, product acceptance criteria,
documents, verification, validation, inspection and test, handling, storage, distribution, traceability,
and records.

Customer-related processes include identification and agreement of customer and regulatory

requirements, user training, and a review of such requirements to ensure that the organisation can
meet them. Customer-related processes also include customer and regulatory communications,
enquiry handling and customer complaints.

Design and development require documented procedures for planning, controlling and verifying
product design and development. There are requirements for design and development planning,
inputs, outputs, review, verification, validation, transfer, change control, and design and
development files.

Purchasing requires that purchased product conforms to specified requirements; this is ensured
through supplier evaluation and selection, risk management, clear and accurate purchasing
information and verification of purchased product.

Production and Service operations include controls relating to:

availability of documented procedures, qualification of infrastructure,
the availability and use of suitable measuring and monitoring equipment,
the implementation of suitable monitoring and suitable methods for the release,
measurement activities,
delivery applicable post-delivery activities,
cleanliness of product, installation activities,
servicing activities, identification and traceability,
control of sterile devices, care of customer property,
handling, storage and packaging where applicable process validation.

Measuring and monitoring equipment used to assure conformance of

product shall be calibrated. Software used for measuring and monitoring of
specified requirements shall be validated.

Measurement, Analysis and Improvement

Monitoring and measurement include:

• feedback on customer satisfaction and quality performance,

• complaint handling (not just customer complaints; a definition of complaint is given in
“Terms and definitions” at the beginning of the standard),
• reporting to regulatory authorities,
• carrying out internal audit and
• process and product monitoring and measurement.
• Product and service which does not conform to requirements shall be identified and
controlled to prevent unintended use or delivery.
The organisation shall collect and analyse data to determine the suitability, adequacy and
effectiveness of the QMS.

The QMS shall be improved.

A procedure for corrective action is required
to eliminate the causes of nonconformity
A procedure is required for preventive action
to eliminate or minimise the causes of
potential problems..

5. Introduction to Quality Auditing

• ISO 19011 What is Auditing
• Principles of Auditing Purpose of Auditing
• Types of Audits Human Elements
• Managing an Audit Program
ISO 19011:2018

ISO 19011:2018 is an international standard which provides guidelines for auditing management
systems.
ISO 19011:2018 provides guidance on the fundamentals of
auditing, the management of audit programmes, the
conducting of management system audits and the
qualifications for management system auditors.
It is applicable to all organisations and the carrying out of both
internal and external audits.
The sections in this course manual on auditing uses ISO 19011
as the basis for both their structure and content.
Four main clauses:
1. Principles of auditing
2. Managing an audit programme
3. Performing / Carrying out an audit
4. Competence and evaluation of auditors
There is also a separate guidance for 3rd party auditing (e.g. certification) the requirements are
specified in ISO/IEC 17021:2016
What is Auditing?

ISO 9000 defines an Audit as:

“A systematic, independent and documented process for obtaining objective

evidence and evaluating it objectively to determine the extent to which audit
criteria are fulfilled”

Auditing is a bit like going to your doctor for a health check, you have a medical check and compare
results to the standard. Here are some examples:

Metric Standard Actual Comments

Temperature 37°C 37°C Conforms
Average adult pulse 70 beats per minute 70 Conforms
rate at rest
Total Cholesterol < 5 millimoles per litre 5.8 Needs Improvement
of blood
The focus for improvement is cholesterol, your doctor should be able to advise you on this.

You then put a plan in place and after a period get another health check done.
This sequence follows the cycle of:

Audit Evidence in ISO 9000 is defined as:

“records, statements of fact or other information which are relevant to the

audit criteria and verifiable”

“set of policies, procedures or requirements used as a reference against which

objective evidence is compared”

Audit Criteria in the same standard ISO 9000 is defined as:

Procedures within an organisation can be documented or not, there is no requirement in ISO
13485:2016 for all procedures to be held as documented information.
Because of this an auditor must address the audit criteria when planning the audit.
Audit criteria are used as a reference against which audit evidence is compared.

• Is the Quality System effective, not just conforming?

• Is the Quality System suitable to achieve objectives set?
• Are measurable objectives set?
How am I going to divide my time during the audit?
What proportion of time should be spent on?

• Conformance
• Effectiveness
• Improvement
The auditor may decide to do a higher proportion of conformance-based auditing of the QMS in its
early days, or when there have been major changes made.

Seven Principles of Auditing

1) Independence
• The basis for the impartiality of the audit and maintenance of objectivity of the auditor
2) Fair presentation
• The obligation to report truthfully and accurately system inadequacies and non-conformities
3) Due professional care
• To be diligent and can make reasoned judgements

4) Confidentiality
• To maintain the security of information
5) Evidence-based approach
• To ensure that audit evidence is verifiable
6) Integrity
• To carry out audits with honesty and be sensitive to influences that may be exerted on your
judgement
7) Risk based approach
• To use the identification of risk within the scope of the audit to address areas of concern.
There are further references in the student workbook on the principles of auditing
The Internal Audit Requirements of ISO 13485:2016

ISO 13485:2016 sets out the requirements for internal audits in section 8.2.4 Internal audit

The organization shall conduct internal audits at planned intervals to determine whether the
quality management system:
a) conforms to planned and documented arrangements, requirements of this International
Standard, quality management system requirements established by the organization, and
applicable regulatory requirements;
b) is effectively implemented and maintained.
The organization shall document a procedure to describe the responsibilities and requirements for planning
and conducting audits and recording and reporting audit results. An audit program shall be planned, taking
into consideration the status and importance of the processes and area to be audited, as well as the results
of previous audits. The audit criteria, scope, interval and methods shall be defined and recorded (see 4.2.5).
The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit
process. Auditors shall not audit their own work.
Records of the audits and their results, including identification of the processes and areas audited and the
conclusions, shall be maintained (see 4.2.5). The management responsible for the area being audited shall
ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate
detected nonconformities and their causes. Follow-up activities shall include the verification of the actions
taken and the reporting of verification results.

Purpose of Auditing

There are multiple reasons for an organisation to carry out audits of its processes and activities:

• To determine the effectiveness of the implemented quality system in meeting specified

quality objectives.
• Conformance to Quality system standards, such as ISO 13485:2016 (standard also requires
that an internal audit be performed)
• To provide the Auditor with an opportunity to highlight areas for Improvement.
• To permit the listing of the audited Organisation’s quality system in a register.
• To meet regulatory requirements such as the Food and Drug Administration’s (FDA) Good
Manufacturing Practices (GMP) in the USA.
Management requires assurance that the quality system can deliver quality products and services that
meet agreed customer requirements and customer expectations.
Auditing should be looked on as a means of helping the organisation identify and improve the
effectiveness and efficiency of its practices in pursuit of the organisation’s objectives.
This is different from simply identifying conformance to those practices. Adding value during the audit
process ensures not only the business is doing things right but also that the right things are being

done. The last reason given above is becoming increasingly important for organisations whose quality
systems are maturing.
At this stage the major issue may not be compliance but continuous improvement. The audit is used
as a proactive tool to identify opportunities for improvement throughout the system.
Types of Audits

There are three main protocols for auditing, based on who is carrying out the audit:

Evaluating an
1st organisation’s own
quality system against
Party a quality system
standard

Evaluating a supplier.
2nd The purpose is usually to
award a contract to
Party supply or for the rating
of an existing supplier

3rd To achieve 3rd Party

Registration /
Certification or meet
Party regulatory requirements

The benefit of 3rd party certification is that international standards are strategic tools and guidelines
to help companies tackle some of the most demanding challenges of modern business. They ensure
that business operations are as efficient as possible, increase productivity and help companies access
new markets. The benefits of auditing include:

• Cost savings
o International standards help optimise operations and thereby can improve the
bottom line
• Enhanced customer satisfaction
o International standards help improve quality, can enhance customer satisfaction and
increase sales
• Access to new markets
o International standards help prevent trade barriers and open global markets
• Increased market share
o International standards can help increase productivity and competitive advantage
• Environmental benefits
o International standards can help reduce negative impacts on the environment
Certification Audits

The initial certification audit of a management system is conducted in two stages:

• Stage 1 audit
• Stage 2 audit
A stage 1 audit is used as a basis for planning the detailed stage 2 audit, to ensure that the relevant
quality system requirements have been taken account of and included in their operations.

A Stage 1 audit includes:

• An evaluation of the location and site-specific conditions

• Determining preparedness for the Stage 2 audit
• A review of the clients’ understanding regarding requirements of the standard
• Collecting information regarding scope and related statutory and regulatory requirements
• A review of the resources required for Stage 2 audit
• An evaluation of internal audits and management review; that they are being planned and
performed
In preparation for a 3rd party audit, a preliminary site visit may be necessary to obtain the above
information. The purpose of this visit is to:

• Clarify with the management of the organisation to be audited the scope of the audit and
areas to be audited
• Agree the procedures to be adopted during the audit
• Confirm the documentation being used with the organisation being audited
• Discuss any points which need clarification
The benefits of such a visit is that:

• It imparts a sense of co-operation

• It identifies any special needs for the audit team such as skills, knowledge, facilities, protective
clothing, etc.
• It identifies the layout of the facility so that a more accurate estimate of the number of
auditors and time required can be made.
A Stage 1 audit provides a focus for planning Stage 2.

The purpose of the Stage 2 audit is to evaluate the implementation, including effectiveness,
of the client’s management system. The Stage 2 audit shall take place at the site(s) of the
client. It shall include a review of all clauses.

ISO / IEC 17021 states the following in relation to the Stage 2 audit:
Human Elements of Auditing

If being introduced for the first-time auditing can be a cultural issue.

Auditing will operate smoothly only if it is accepted as a valuable improvement tool, it must educate
management and all employees of the benefits.
You must carefully select and instruct your auditor. Auditors should be good at putting people at ease
and not nit-pick.

Managing an Audit Program

General Requirements
Programme Establishing audit programme objectives
Objectives Determining and evaluating audit programme risks and opportunities
Establish the audit program, scope, schedule, type, criteria
Preparation for Understanding auditee’s organisation
Audit Process approach
Critical Success Factors
Audit Plan
Initial auditee contact
Type of audit

Plan
Surveillance audit
Preliminary visit
Study documentation and information
No Formal QMS
Work documents
Audit Checklists
Team assignments
Classifying nonconformities
Productive meetings
Implementing Objectives/scope/criteria
audit Audit methods
programme Audit team
Managing outcome
Managing records
Auditor Selection
Audit scope
Schedule and frequency
Carrying out / Opening meeting
conducting the Auditing a Process

Do
Audit Audit Methods
Sequence
Audit of Effectiveness & Improvement
Collecting information
Communications
Audit sampling
Audit findings
Prep for closing meeting
Closing meeting
Audit Report Preparation and Distribution
Completing the Audit Report
Audit Confirmation of CA’s
Classification of CA’s
Check

Effectiveness of CA’s
Audit Closure
Monitoring the Review the Auditing Process
Auditing Is it effective?
Program
Conducting Management Review
Audit Follow Up Continuous Improvement
Act

/ Improve the
Audit Program

When establishing Audit program objectives, the following should all be considered:

• Stakeholder needs and expectations

• Characteristics of, and requirements for, processes, products, services and projects including
any changes to them
• The need to evaluate external providers
• Management system requirements
• The auditee’s levels of risk and opportunity
• The auditee’s level of performance
• The results of their previous audits
• The maturity of their management system(s)
Examples of audit programme objectives can include the following:

• Identify opportunities to improve management system and its performance

• Evaluate the capability of the auditee to determine its context
• Evaluate the capability of the auditee to determine risks and opportunities and to identify and
implement effective actions to address them
• Conform to all relevant requirements
o Statutory
o Regulatory requirements
o Commitments
o Requirements for certification to a management system standard
• Obtain and maintain confidence in the capability of an external provider
• Determine the continuing suitability, adequacy and effectiveness of the auditee’s
management system
• Evaluate the compatibility and alignment of the management system objectives with the
strategic direction of the organisation
The individual(s) managing the programme should now present to the audit client the risks and
opportunities they have determined during the development of the audit programme along with the
programme’s associated resource requirements, presumably to ensure accuracy.
Determining and Evaluating Audit Programme Risks and Opportunities

There are risks and opportunities related to the context of the auditee that can be associated with an
audit programme and can affect the achievement of its objectives. The individual(s) managing the
audit programme should identify and present to the audit client (auditee) the risks and opportunities
considered when developing the audit programme and resource requirements, so that they can be
addressed appropriately.
There can be risks associated with the following:

• Planning
o Failure to set relevant audit objectives and determine the extent, number, duration,
locations and schedule of the audits;
• Resources
o Allowing insufficient time, equipment and/or training for developing the audit
programme or conducting an audit
• Selection of the audit team
o Insufficient overall competence to conduct audits effectively
• Communication
o Ineffective external/internal communication processes/channels

• Implementation
o Ineffective coordination of the audits within the audit programme, or not considering
information security and confidentiality
• Control of documented information
o Ineffective determination of the necessary documented information required by
auditors and relevant interested parties, failure to adequately protect audit records
to demonstrate audit programme effectiveness
• Monitoring, reviewing and improving the audit programme
o Ineffective monitoring of audit programme outcomes; availability and cooperation of
auditee and availability of evidence to be sampled
Managing Audit Programme Results

The individual(s) managing the audit programme should ensure:

• Evaluation of the achievement of the objectives for each audit within the audit programme
• Review and approve audit reports regarding the fulfilment of the audit scope and objectives
• Review of the effectiveness of actions taken to address audit findings
• Distribution of audit reports to relevant interested parties
• Determination of the necessity for any follow-up audit
Managing and Maintaining Audit Programme Records

Audit records should be generated, managed and maintained to demonstrate the implementation of
the audit programme. Processes should be established to ensure that any information security and
confidentiality needs associated with the audit records are addressed including:
Records related to the audit programme such as:

• Schedule of audits
• Audit programme objectives and extent
• Those addressing audit programme risks and opportunities
• Relevant external and internal issues
• Reviews of the audit programme effectiveness
Records related to each audit, such as:

• Audit plans and audit reports

• Objective audit evidence and findings
• Nonconformity reports
• Corrections and corrective action reports
• Audit follow-up reports
Records related to the audit team covering topics such as:

• Competence and performance evaluation of the audit team members

• Criteria for the selection of audit teams and team members and formation of audit teams
• Maintenance and improvement of competence
The form and level of detail of the records should demonstrate that the objectives of the audit
programme have been achieved.

Monitoring Audit Programme

The individual(s) managing the audit programme should ensure the evaluation of:

• Whether schedules are being met and audit programme objectives are being achieved
• The performance of the audit team members including the audit team leader and the
technical experts
• The ability of the audit teams to implement the audit plan
• Feedback from audit clients, auditees, auditors, technical experts and other relevant parties
• Sufficiency and adequacy of documented information in the whole audit process
Some factors can indicate the need to modify the audit programme. These can include changes to:

• Audit findings
• External providers
• Effectiveness of the audit programme
• Audit scope or audit programme scope
• The auditee’s management system
• Identified conflicts of interest
• Standards, and other requirements to which the organisation is committed
• Demonstrated level of auditee’s management system effectiveness and maturity
• The audit client’s requirements
Reviewing and Improving the Audit Programme

The individual(s) managing the audit programme and the audit client should review the audit
programme to assess whether its objectives have been achieved. Lessons learned from the audit
programme review should be used as inputs for the improvement of the programme.
The individual(s) managing the audit programme should ensure the following:

• Review of the overall implementation of the audit programme

• Identification of areas and opportunities for improvement
• Application of changes to the audit programme if necessary
• Review of the continual professional development of auditors, in accordance with clause 7.6
of ISO 13485:2016
• Reporting of the results of the audit programme and review with the audit client and relevant
interested parties, as appropriate
The audit programme review should consider the following:
• Results and trends from audit programme monitoring
• Conformity with audit programme processes and relevant documented information
• Evolving needs and expectations of relevant interested parties
• Audit programme records
• Alternative or new auditing methods to evaluate auditors
• Effectiveness of the actions to address the risks and opportunities, and internal and external
• Issues associated with the audit programme
• Confidentiality and information security issues relating to the audit programme
And possibly matching the level of competence of the audit team to the level of competence needed
to achieve the audit objectives and finally aligning audit dates with the availability of auditee’s key
staff.

ISO 19011:2018 Process Flowchart for Auditing

(Clauses in this diagram refer to ISO 19011 Standard for Auditing Management Systems)

6. Planning the Audit Programme

• Initial stages Auditor Selection
• How much auditing? Auditor competence and evaluation of auditors
• Auditors’ Responsibilities Audit Scope, Schedule, Frequency
Initial Stages of the Life Cycle

No audit can be adequately carried out unless the programme is authorised by top management, the
audit must be a valuable tool.
Prior to any detailed preparation need to determine feasibility e.g. if there is inadequate co-operation
from auditee, inadequate time or insufficient information about the scope there is little point in
proceeding.
What are the audit objectives?
An example might be:
“To determine the effectiveness, level of conformance and opportunities for improvement in the Sales
Order process”.
How Much Auditing?

The extent of the Audit Programme depends upon factors such as:

• The audit scope

• The frequency; some critical activities may be audited more frequently
• The duration; may depend on the budgeted hours made available
• The size of the organisation; the bigger organisations normally require more auditing time
• The complexity of the processes
• The audit criteria such as standards / regulations & legislation
• More auditing generally required in regulatory environment
• Results of previous audits
• Concerns expressed by management, and
• Significant changes.
Auditor’s Responsibilities

Auditors are responsible for:

• Complying with the applicable audit requirements
• Communicating and clarifying audit requirements
• Planning and carrying out assigned responsibilities effectively and efficiently documenting the
observations
• Reporting the audit results
• Verifying the effectiveness of corrective actions taken as a result of the audit
• Retaining and safeguarding documents pertaining to the audit and submitting such
documents as required
• Ensuring such documents remain confidential
• Treating privileged information with discretion
• Co-operating with and supporting the lead auditor

Lead Auditor’s Responsibilities

• Ultimately responsible for all phases of the audit

• Should have management capabilities and experience
• Should be given authority to make final decisions regarding the conduct of the audit and any
audit observations
The Lead Auditor’s responsibilities also cover:

• Assisting with the selection of other audit team members

• Preparation of audit plan
• Representing the audit team with the auditee’s management
• Submitting the audit report
Auditor Selection

Auditor selection is crucial when carrying out audits against ISO 13485:2016
Select Auditors at different management levels within the organisation, initially:
• Effectiveness & Improvement, auditors from a more senior level in the organisation
• Conformance & Compliance, auditors from front line
Audit in pairs:

• Combine auditors from more senior level with front line

• Gives individual auditors more confidence
The person managing the audit programme should appoint the members of the audit team, including
the team leader if relevant and any technical experts needed.
Auditor Competence and Evaluation of Auditors

Confidence in the audit process and the ability to achieve its objectives depends on the competence
of those individuals who are involved in performing audits, including auditors and lead auditors.
Competence should be evaluated regularly through a process that considers personal behaviour and
the ability to apply the knowledge and skills gained through education, work experience, auditor
training and audit experience. This process should take into consideration the needs of the audit
programme and its objectives. The evaluation of auditor competence should be planned,
implemented and documented to provide an outcome that is objective, consistent, fair and reliable.
The evaluation process should include four main steps, as follows:

• Determine the required competence to fulfil the needs of the audit programme
• Establish the evaluation criteria
• Select the appropriate evaluation method
• Conduct the evaluation
The outcome of the evaluation process should provide a basis for the following:

• Selection of audit team members

• Determining the need for improved competence (e.g. additional training)
• Ongoing performance evaluation of auditors

Auditors should develop, maintain and improve their competence through Continual Professional
Development and regular participation in audits
Determining Auditor Competence

When determining the necessary competence for an audit, an auditor’s knowledge and skills related
to the following should be considered:

• The size, nature, complexity, products, services and processes of auditees

• The methods for auditing
• The management system disciplines to be audited
• The complexity and processes of the management system to be audited
• The types and levels of risks and opportunities addressed by the management system
• The objectives and extent of the audit programme
• The uncertainty in achieving audit objectives
• Other requirements, e.g. those imposed by the auditee or other relevant interested parties
Personal Behaviour

Auditors should possess the necessary attributes to enable them to act in accordance with the
principles of auditing. Auditors should exhibit professional behaviour during the performance of audit
activities. Desired professional behaviours include being:

• Ethical, i.e. fair, truthful, sincere, honest and discreet

• Open-minded, i.e. willing to consider alternative ideas or points of view
• Diplomatic, i.e. tactful in dealing with individuals
• Observant, i.e. actively observing physical surroundings and activities
• Perceptive, i.e. aware of and able to understand situations
• Versatile, i.e. able to readily adapt to different situations
• Tenacious, i.e. persistent and focused on achieving objectives
• Decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis
• Self-reliant, i.e. able to act and function independently while interacting effectively with
others
• Able to act with fortitude, i.e. able to act responsibly and ethically, even though these actions
may not always be popular and may sometimes result in disagreement or confrontation
• Open to improvement, i.e. willing to learn from situations
• Culturally sensitive, i.e. observant and respectful to the culture of the auditee
• Collaborative, i.e. effectively interacting with others, including audit team members and the
auditee’s personnel
Auditor Knowledge and skills

Should include knowledge and skills necessary to achieve the intended results of the audits and
generic competence and a level of discipline and sector-specific knowledge and skills. For example:
Audit principles, processes and methods: knowledge and skills in this area enable the auditor to
ensure audits are performed in a consistent and systematic manner. An auditor should be able to:

• Understand the types of risks and opportunities associated with auditing and the principles of
the risk-based approach to auditing
• Plan and organise the work effectively
• Perform the audit within the agreed time schedule
• Prioritise and focus on matters of significance

• Communicate effectively, orally and in writing (either personally, or using interpreters)

• Collect information through effective interviewing, listening, observing and reviewing
documented information, including records and data
• Understand the appropriateness and consequences of using sampling techniques for auditing
• Understand and consider technical experts’ opinions
• Audit a process from start to finish, including the interrelations with other processes and
different functions, where appropriate
• Verify the relevance and accuracy of collected information
• Confirm the sufficiency and appropriateness of audit evidence to support audit findings and
conclusions
• Assess those factors that may affect the reliability of the audit findings and conclusions
• Document audit activities and audit findings, and prepare reports
• Maintain the confidentiality and security of information
Management system standards and other references: knowledge and skills in this area enable the
auditor to understand the audit scope and apply audit criteria, and should cover the following:

• Management system standards or other normative or guidance/supporting documents used

to establish audit criteria or methods
• The application of management system standards by the auditee and other organisations
• Relationships and interactions between the management system(s) processes
• Understanding the importance and priority of multiple standards or references
• Application of standards or references to different audit situations
The organisation and its context: knowledge and skills in this area enable the auditor to understand
the auditee’s structure, purpose and management practices and should cover:

• Needs and expectations of relevant interested parties that impact the management system
• Type of organisation, governance, size, structure, functions and relationships
• General business and management concepts, processes and related terminology, including
planning, budgeting and management of individuals
• Cultural and social aspects of the auditee
Applicable statutory and regulatory requirements and other requirements: knowledge and skills in
this area enable the auditor to be aware of, and work within, the organisation’s requirements.
Knowledge and skills specific to the jurisdiction or to the auditee’s activities, processes, products and
services should cover the following:

• Statutory and regulatory requirements and their governing agencies

• Basic legal terminology
• Contracting and liability
Note: Awareness of statutory and regulatory requirements does not imply legal expertise
Discipline and Sector-Specific Competence of Auditors

Audit teams should have the collective discipline and sector-specific competence appropriate for
auditing the types of management systems and sectors.
Generic Competence of Lead Auditors
In order to facilitate the efficient and effective conduct of the audit an audit team leader should have
the competence to:

• Plan the audit and assign audit tasks according to the specific competence of individual audit
team members
• Discuss strategic issues with top management of the auditee to determine whether they have
considered these issues when evaluating their risks and opportunities
• Develop and maintain a collaborative working relationship among the audit team members
• Manage the audit process, including:
o Making effective use of resources during the audit
o Managing the uncertainty of achieving audit objectives
o Protecting the health and safety of the audit team members during the audit,
including ensuring compliance of the auditors with the relevant health and safety, and
security arrangements
o Directing the audit team members
o Providing direction and guidance to auditors-in-training
o Preventing and resolving conflicts and problems that can occur during the audit,
including those within the audit team, as necessary
• Represent the audit team in communications with the individual(s) managing the audit
programme, the audit client and the auditee
• Lead the audit team to reach the audit conclusions
• Prepare and complete the audit report
Knowledge and Skills for Auditing Multiple Disciplines
When auditing multiple discipline management systems e.g. Integrated Management Systems) the
audit team member should understand the interactions and synergy between the different
management systems.
Achieving Auditor Competence
Auditor competence can be acquired using a combination of the following:

• Successfully complete training programmes that cover generic auditor knowledge and skills
• Experience in a relevant technical, managerial or professional position involving the exercise
of judgement, decision making, problem solving and communication with managers,
professionals, peers, customers and other relevant interested parties
• Education/training and experience in a specific management system discipline and sector that
contribute to the development of overall competence
• Audit experience acquired under the supervision of an auditor competent in the same
discipline
Establishing Auditor Evaluation Criteria
The criteria should be qualitative (such as having demonstrated desired behaviour, knowledge or the
performance of the skills, in training or in the workplace) and quantitative (such as the years of work
experience and education, number of audits conducted, hours of audit training).
Selecting Appropriate Auditor Evaluation Method
The evaluation should be conducted using two or more of the methods given in the table below. In
using the table, the following should be noted:

• The methods outlined represent a range of options and may not apply in all situations;
• The various methods outlined may differ in their reliability;
• A combination of methods should be used to ensure an outcome that is objective, consistent,
fair and reliable.

Review of records To verify the background of the auditor Analysis of records of education,
training, employment, professional
credentials and auditing experience
Feedback To provide information about how the Surveys, questionnaires, personal
performance of the auditor is perceived references, testimonials, complaints,
performance evaluation, peer
review
Interview To evaluate desired professional behav- Personal interviews
iour and communication skills, to verify
information and test knowledge and to
acquire additional information
Observation To evaluate desired professional behav- Role playing, witnessed audits, on-
iour and the ability to apply knowledge the-job performance
and skills
Testing To evaluate desired behaviour and Oral and written exams,
knowledge and skills and their psychometric testing
application
Post-audit review To provide information on the auditor Review of the audit report,
performance during the audit activities, interviews with the audit team
identify strengths and opportunities for leader, the audit team and, if
improvement appropriate, feedback from the
auditee
Conducting Auditor Evaluation
The information collected about the auditor under evaluation should be compared against the set
criteria. An auditor who does not fulfil the criteria should be given additional training, work or audit
experience should be undertaken and a subsequent re-evaluation should be performed.
Maintaining and Improving Auditor Competence
Auditors and audit team leaders should continually improve their competence.
Auditors should maintain their auditing competence through regular participation in management
system audits and continual professional development. This may be achieved through means such as
additional work experience, training, private study, coaching, attendance at meetings, seminars and
conferences or other relevant activities.
The individual(s) managing the audit programme should establish suitable mechanisms for the
continual evaluation of the performance of the auditors and audit team leaders.
The continual professional development activities should consider the following:

• Changes in the needs of the individual and the organisation responsible for the conduct of the
audit
• Developments in the practice of auditing including the use of technology
• Relevant standards including guidance/supporting documents and other requirements
• Changes in sector or disciplines

Audit Scope and Schedule / Frequency

Scheduling audits of single quality system elements (e.g. documentation, calibration) may not be the
best way as this may result in missing important functional interfaces.
The schedule should be based on key processes, taking into consideration the risk of each of them.
Audit Schedule for year: Revision:
Schedule approved by: Date:
Area / ISO Procedure Audit Month
Activity 13485 Number Number January February March Etc.
Elements
Production/ Relevant Select 15-001
Delivery of parts of relevant
Service Sections procedures
4, 5, 6, 8, & keep
& 9. record of
Sections those
7.1, 7.5, audited
7.6.
Design Relevant 15-002
Control parts of
Sections
4, 5, 6, 8,
& 9.
Sections
7.1, 7.3.

Purchasing Relevant 19-003

parts of
Sections
4, 5, 6, 8,
& 9.
Sections
7.1, 7.4.

etc.
One can incorporate an audit tracking mechanism into the above figure. This could be done as
follows:

Indicates Indicates that Indicates Indicates Indicates

an audit is audit has that that corrective
scheduled been corrective corrective actions
for this conducted actions actions have
month have been are been
agreed reported verified
complete

Frequency of Audits

The organisation shall ……… refer to ISO 13485 clause 8.2.4

The following should be considered:

• The importance of the operation in relation to quality output

• Significant changes in management organisation, policy, technologies or techniques that
could affect the quality system
• Changes to the system itself
• Results of previous audits

7. Audit Preparation (Planning)

• Risk Based Approach to Planning • Team assignments
• Process Approach • Audit checklists
• Understanding the Organisation • Guidelines for Productive Meetings
• Audit Plan • Classification of non-conformity
• Critical Success Factors • ISO 9001 Auditing Practices Group
• Studying Data and Documentation • The role and value of the audit
• Auditee contact checklist
• Work documents
• No formal QMS
Risk Based Approach to Planning

The Lead Auditor should adopt a risk-based approach to planning the audit based on the information
in the audit programme and the documented information provided by the auditee. Audit planning
should consider the risks of the audit activities on the auditee’s processes and provide the basis for
the agreement among the audit client, audit team and the auditee regarding the conduct of the audit.
Planning should facilitate the efficient scheduling and coordination of the audit activities in order to
achieve the objectives effectively.
When planning the audit consider the following:
• The composition of the audit team and its overall competence
• The appropriate sampling techniques
• Opportunities to improve the effectiveness and efficiency of the audit activities
• The risks to achieving the audit objectives created by ineffective audit planning
• The risks to the auditee created by performing the audit
Risks to the audit can result from the presence of the audit team members adversely influencing the
auditee’s arrangements for health and safety, environment and quality, and its products, services,
personnel or infrastructure (e.g. contamination in clean room facilities).

Understanding the Organisation: Numbers in brackets relate to the sections of the ISO 13485 standard.

Information and data input DETERMINE Planned for by defining What Auditor looks for

(1) Agreed customers’ (2) Product and (3) Product and service (4) Product descriptions;
requirements and services to be sold. design features Design specifications (7.3.4)
expectations (7.2)

(5) Product descriptions and (6) Processes to be (7) Sequence/interaction of (8) Process map or plan;
design specifications (7.3.4) performed (4.1) the processes (4.1); Process Quality plan; Process
requirements (7.1) specifications (7.1)

(9) Process map or plan; (10) How processes are (11) Organisational (12) Organisation chart; Job
Quality Plan (7.1) grouped together (4.1) hierarchy; reporting levels descriptions (5.5.1)
and responsibilities for each
process and group of
processes (5.5.1)

(13) Process specifications (14) Competencies (15) Job specifications (16) Job specifications
(1.1); Job descriptions (5.5.1) required for the (5.5.1) (5.5.1)
process (6.2)

The above is an example of an Audit Trail which extends from basic data and information about the
marketplace to defining how the organisation is structured and is an essential part of audit
preparation.
Process Approach

There is further information in the student workbook on processes.

• An understanding of the process approach will help to maintain the “helicopter” view and
prevent getting involved in unnecessary detail.
• Organisations work through processes. Process improvement is key to continual
improvement – better quality, higher productivity and reduced costs.
• Be familiar with the process being audited.
Critical Success Factors

A critical success factor (CSF) can be described as a factor that to a large extent impacts the
organisation’s competitiveness and its performance in the marketplace.
• Examples are price, quality, knowledge and so on depending on the type of business. In
other words, what is it that our customers truly value about our organisation? The answer
is usually the critical success factors.
• It is important to know as much as possible about these prior to auditing so that the audit
can focus on what’s important to the customer. For example if competitive advantage
relates to the service elements within the organisation such as cycle time or
responsiveness, this is where a significant portion of audit time should be devoted.
• Critical success factors should ideally be related to the key processes, which have most
impact on such factors.
Audit Plan
The audit plan, defined ias:

“description of the activities and arrangements for an audit”

Should include the following, depending on the size and complexity of the audit:
An audit plan should include:
• Purpose
• The audit objectives
• Audit scope
• Audit type
• The audit criteria

• Reference documents
• The dates and place where the audit activities are to be conducted
• The identification of the processes, organisational and functional units to be audited
• The identification of the sites, activities and management system processes that are
essential to meeting audit objectives in order to allocate appropriate resources to critical
areas of the audit
• The expected time and duration for audit activities, including meetings with the auditee’s
management and audit team meetings
• The working and reporting language(s) of the audit
• The identification of roles and responsibilities of the audit team members and any
accompanying persons
• The audit report topics (including any methods of non-conformance gradings), format and
structure, expected date of issue and distribution
• Logistical arrangements (travel, on-site facilities, etc.)
• Matters related to confidentiality
• Any arrangements for audit follow-up actions
Initial Auditee Contact

The contents of the Audit Plan should be communicated to the Auditee prior to the audit. Ensure
communication with people in all relevant functions as process audits typically move across functions.
Request relevant documentation, data analysis, and, records approximately one to two weeks
beforehand to allow enough time to prepare.
Studying Data and Documentation

Know the relevant sections of the QMS standard. Know what the Key Performance Indicators or
objectives are for the process or area.
Study performance measures (e.g. yields, defects, customer complaints) against these objectives to
determine effectiveness; use the results to help you focus during the audit.
Have all relevant documentation such as manuals, procedures, standards, contracts, etc. study these.
They will form part of the audit checklist. Results from previous audits.
No Formal System

What if there is no formal, documented system in place? In a situation where there is no formal
documented system in place, the following steps should be taken:

• Purpose, Objective, Scope

o Establish or agree on purpose, objective and scope of the audit
• Criteria
o Identify criteria against which the audit is to be performed, including any quality
standard or contract requirements
o Determine whether requirements of a standard or contract apply
• Documentation
o Ask for any documented policy statement and quality objectives
o Ask for any instructions, procedures, forms, records, brochures or any other
documents that relate to the activities to be audited
• Checklist
o Prepare checklist of people, activities, documents and records to be reviewed

The auditor should then plan the audit as normal.

Work Documents

There are several work documents used by the audit team for the purpose of reference and recording
the proceedings of the audit. These include the following:

• Audit procedure
• Audit checklists
• Sampling plans
• Forms for recording information, records of meetings and audit findings
It is necessary for Auditors to ensure that they are adhering to the audit procedure.
Audit Checklists

Audit checklists are a set of prompts or reminders of important topics to inquire about, and things to
look for, based on the descriptions of the operations being examined.
There can be two types of checklists, like the two types of audits:

• Systems
• Conformance, Performance and Improvement

Advantages Disadvantages
• The checklist gives the auditor • Auditors can become too reliant on
confidence. the checklist and fail to adequately
• It ensures that the really important understand the process being
questions are not overlooked. audited.
• Aids concentration keeps Auditor • It can interfere with the Auditor’s
on track. conversational style if treated as a
• Enables the Auditor to remain script.
focused after a delay or diversion. • It can be followed too rigidly and
• It facilitates notetaking. inhibit following new leads.
• Auditee knows what to expect • The routine can become familiar to
during audit. the auditee if the same checklist is
• Helps with time management. kept and re-used.

Finally, checklists can be in several different formats. Some checklists are in the form of questions. An
Auditor with more experience and a good knowledge of the activity being audited might simply record
the key words.
Guidance from ISO 9001 Auditing Practices Group available from
www.iso.org/tc176/ISO9001AuditingPracticesGroup

Teamwork

Audit teamwork assignments. There may be a need to assign to each team member responsibility for
auditing specific management system processes, functions, sites, areas or activities.
• Responsibilities assigned by Audit Team Leader in consultation with the audit team.
• Such assignments should consider the need for auditor independence, competence and
efficient use of resources.
• The audit team members should review all relevant information related to their audit
assignments and prepare any work documents necessary for those assignments.
• More information on audit team members and their responsibilities are given in this
Course Manual.
Classification of a Non-Conformity

Prior to the commencement of an audit a decision needs to be made if a classification system is going
to be used for non-conformities that may arise during an audit.
ISO 9000 defines a non-conformity as:

“nonfulfillment of a requirement”

The definition covers the departure or absence of one or more quality characteristics or quality system
elements from specified requirements.
There is no universal grading system for non-conformities. Some organisations do not use any grading
system.
The purpose of a grading system is to prioritise tasks for those who need to take corrective action and
to help management to prioritise findings.
One example of a classification system is as follows:
Major
Major quality system deficiency / lack of a system / product or service deficiency.
For example, in the case of a system deficiency, ISO 13485:2016 states that:

“When the organization chooses to outsource any process that affects product conformity to
requirements, it shall monitor and ensure control over such processes.
”

If a company has no established practices for doing this, then they do not fulfil the requirements.
Minor
Isolated non-conformity
The non-conformity genuinely appears to be isolated without any clear underlying cause and perhaps
where no corrective action can be formulated. There is a defined system, documented procedures
and arrangements are in place which generally satisfy agreed requirements. The activity being audited
can demonstrate an acceptable level of implementation overall, but there are minor discrepancies.
An example of a minor discrepancy is where training records are available, but not sufficiently
detailed.

Observation
This is an observation and relates to a situation which does not represent an outright non-conformity.
In the auditor’s judgment it warrants clarification or investigation, so as to improve the overall status
and effectiveness of the quality system.
Another example of a classification system, in this case in the pharmaceutical industry is as follows:
A critical non-conformity is one that can affect the quality and safety of the product and may cause
harm to the patients if administered.
A major non-conformity is one that may affect the quality and safety of the product, and includes
unauthorised process changes, unvalidated manufacturing processes that have a major impact on
quality.
A minor non-conformity is not likely to affect the quality and safety of the product. These include
deficiencies arising out of lapses in discipline e.g. failure to review an SOP at the due date, using
correction fluids to amend records, etc.
Guidelines for Productive Meetings
There are many stages during an audit where meetings are held. These could include:
• A preparatory meeting among the auditors
• Opening meeting with the auditee
• Auditor team meeting prior to the closing meeting
• Closing meeting with the auditee
Some general guidelines for conducting meetings are useful to ensure that meetings are as productive
as possible.

8. Carrying out the Audit / Conducting Audit Activities

• Opening Meeting • Collecting information
• Auditing a process • Communications
• Audit methods • Audit Sampling
• Sequence for audit • Preparing for Closing Meeting
• Auditing effectiveness and • Closing Meeting
improvement • ISO 9001 Auditing Practices Group
• Key tasks to look at during the
audit
Opening Meeting

A 2nd and 3rd party audit will commence with a formal opening meeting where the audit team will meet
representatives of the audited company’s management team.
During a 1st party audit you may judge that the same degree of formality is not necessary.
Nevertheless, a more formal opening meeting will impress the importance of internal audits when this
discipline is first introduced.
The way this meeting is conducted will have a critical influence on the success of the audit. This
meeting sets the tone for the overall audit and you never get a second chance to make a first
impression.
• Introduce the members of the Audit team
• Re-emphasise the purpose and scope of the audit and ensure it is understood
• Confirm the standard and audit criteria to be used as the basis for the audit
• Explain what each auditor will be looking at with approximate timetable
• Give a short summary of the methods and procedures to be used
• Method of reporting and classification of non-conformities
• Clarify any interim meetings which may be necessary
• Give details of the purpose of the closing meeting and who should attend
• Ensure that Audit guides are available and that they have been briefed
• Confirm that the domestic arrangements for office accommodation, meals, etc
• Verify the organisation’s staff have been informed that the audit is taking place
• Confirm relevant work safety, emergency and security procedures for audit team.
• Arrange a tour of the premises or map it out for the audit team
• Mention the confidentiality aspect of the audit
Auditing a Process

To adequately audit a process, auditors need to gather information on or determine the following
about the process, whether the process is documented or not (numbers in brackets indicate clauses
of ISO 13485):

• Process being evaluated (4.1)

o Boundaries of Process to be audited? (4.1)
o Beginning boundary step(s)
o Ending boundary step(s)
o Interlinked processes feeding into and out of process
o Activities/sub-processes that make up process
• Process objectives and related targets, measures, actions and current results? (7.1)
• Inputs/resources and related suppliers’ requirements, measures and results? (7.1)

• Outputs/outcomes and related customers, requirements (targets), measures and

results? (7.1)
• Recent changes to process and evidence of control? (4.1.4)
• Trend analysis of data on process/product including quality of output, non-
conformances, scrap, on-time deliveries, customer feedback (internal & external), etc.
that indicate performance of process? (8.4)
Inputs to the Process

• Relevant process components such as

• Manpower (or personnel) (6.1, 6.2, 5.5)

• Machinery (or equipment) (6.1, 6.3, 7.6)
• Material (including incoming, work in progress and final product), (7.4, 7.5)
• Methods (4.2)
• Measurement (8.2)
• Environment for the operation of the processes is important (6.4)
• Improvement programme in place. (8.5)
Once understood, the auditor might draw a flowchart or process map as guide.
To simplify the auditing planning, you could use the following formula for auditing:

(𝑬 + 𝑰) + 𝟒𝑴′ 𝒔 + 𝑾𝒐𝒓𝒌 𝑬𝒏𝒗𝒊𝒓𝒐𝒏𝒎𝒆𝒏𝒕

Where E = Effectiveness
I = Improvement
4M’s = Manpower, Machinery, Material, Methods.
Audit Methods

• Trace Forward
• Trace Back
• Random Department

Trace forward:
This involves starting at the sales or customer contract stage and following the product or contract
through the various work areas and departments associated with the process stages.
The end point is where the product is handed over to the customer and any subsequent customer
support. This method can also apply to a sub-process.

Trace Back:
This method works in the opposite direction and can involve the selection of a product or contract
and challenging the various process steps it has gone through.
Random Department:
Auditor visits the departments or work areas that are of interest in whatever order the auditor
chooses. Major disadvantage of this method is that organisational problems such as
interdepartmental interfacing difficulties are not readily apparent.
Sequence for Audit

A useful sequence for the audit is:

• Effectiveness
o Compare results obtained against the objectives or targets set
o Study trends for approximately past six months
• Improvement
o Discuss improvement plans based on how effective the process is and what the plans
are to close the gaps
• Conformance
o Based on the above findings, check relevant conformance issues. For example, if a
reason for not achieving the objectives or targets the reason is likely to be related to
process inputs
The above approach uses Risk-based auditing, i.e. the audit focuses on where the risks are to the
business. Guidance from ISO 9001 Auditing Practices Group available from:
www.iso.org/tc176/ISO9001AuditingPracticesGroup
Auditing Effectiveness and Improvement

Conformance type auditing is relatively easy and straight forward. What is more difficult is auditing
Effectiveness and Improvement. Effectiveness looks at performance measures against the objectives
set and the extent to which planned activities are realised.
Key questions to ask during a Performance and Improvement Audit are:

(numbers in brackets indicate clauses of ISO 13485)

• What are the objectives? (5.4.1)

• Is the data analysed? (8.4)
• How often is the data analysed?
• What sort of trends appear?
• What methods of analysis are used to improve the process and to improve product?
• Do the methods get to the root cause(s) of the problem?
• What levels of improvement in product / process is the auditee achieving? (8.5)
• Over what period have these improvements been obtained?

The sum of those questions enables the auditor to conclude the existence or otherwise of an
improvement programme and its efficiency.
In addition to looking at the auditee’s improvement programme, the auditor may also make their own
suggestions for improvement. This may result from their own experience or during discussions with
auditees throughout the areas being audited. Most personnel are quite happy to get the opportunity
to suggest improvements.
If continual improvement is a requirement as in the case of ISO 13485:2016, a Corrective Action
Request (CAR) is justified in the following circumstances:
• The auditee has no programme or policy for pursuing continuous improvement
• The auditee has such a policy or programme but it is not being implemented
• The auditee is implementing such a policy or programme but has realised no or very little
improvement over a reasonable period of time.
Most of the above questions will be directed at senior and middle management.
A more detailed set of questions can be developed by examining the “context of the organisation”,
and “leadership” requirements specified in ISO 13485:2016 and turning these requirements into a set
of questions.
Next Level of Auditing

Based on the outcome of the audit on Effectiveness and Improvement, the auditor will then need to
examine in greater detail those tasks posing greatest risks. Refer to your student workbook on key
activities to look at during an audit.
During the Audit
The Auditor needs to control

• The time
• The interview
• The sample
The Auditor selects

• The people with whom to speak

• The records to look at
Auditing is done to find facts, through objective evidence, not to find fault. The purpose is not to
apportion blame or impose a specific corrective action.
Collecting Information

• Sources of information
• Collect information by proper sampling
• Audit evidence
• Audit findings (obtained by comparing the evidence against audit criteria)
• Audit conclusions
Get the broad picture before focusing on the detail.
Information may be obtained from several sources such as:

• Interviews
• Observations of activities and the surrounding work environment and conditions
• Documents
o Policy
o Objectives
o Plans
o Procedures
o Instructions
o Licenses and permits
o Specifications
o Drawings
o Contracts & Orders
When conducting a document review the auditor should consider if the information in the documents
provided is:

• Complete (all expected content is contained in the document)

• Correct (the content conforms to other reliable sources such as standards and regulations
• Consistent (the document is consistent and with related documents)
• Current (the content is up to date)
• Records, such as inspection records, minutes of meetings, reports or logbooks on customer
complaints and other relevant communication from external interested parties, audit reports,
monitoring programmes and results of measurements
• Reports from other sources, for example, customer feedback, external reports and vendor
supplier ratings; data summaries, analyses, metrics and performance indicators
Information should also be collected relating to interfaces between functions, activities and processes.
Interviews are an important means of collecting information and should be carried out taking the
following into account:

• Interviews with persons from different levels and function, and especially with persons
performing activities or tasks under consideration
• Whenever possible, the interview should be conducted during normal working hours and at
the normal workplace of the interviewed person
• Initially introduce yourself
• Every attempt should be made to put the interviewed person at ease
• The reason for the interview and any note taking should be explained
• Interviews may be initiated by asking the persons to describe their work
• Be systematic and don’t “jump around” too much
• Speak the person’s language; there are a lot of buzz words in ISO 13485:2016, rephrase the
question if necessary
• Speak clearly and carefully
• If the information is unavailable, agree a time to be given to you; onus is on the Auditee
• If Auditee feels threatened or anxious, back off, rephrase the question or ask a different
question
• The results from the interview should be summarised and any finding should be verified with
the interviewed person where possible
• The interviewed persons should be thanked for their participation and co-operation

Applicable Audit Methods

Extent of Location of the auditor Location of the auditor

involvement (On-site) (Remote)
between the
auditor
and the
auditee
Human • Conducting interviews. • Via interactive communication
interaction • Completing checklists and means:
questionnaires with auditee o Conducting interviews;
participation o Completing checklists
• Conducting document review with and questionnaires;
auditee participation o Conducting document
• Sampling review with auditee
participation
No human • Conducting document review (e.g. • Conducting document review
interaction records, data analysis) (e.g. records, data analysis).
• Observation of work performed • Observing work performed via
• Conducting on-site visit surveillance means, considering
• Completing checklists social and legal requirements.
• Sampling (e.g. products) • Analysing data.
On-site audit activities are performed at the location of the auditee. Remote audit activities are
performed at any place other than the location of the auditee, regardless of the distance.
Interactive audit activities involve interaction between the auditee’s personnel and the audit team.
Non-interactive audit activities involve no human interaction with persons representing the auditee
but do involve interaction with equipment.
An auditor should not ask too many follow-up questions pertaining to the one item. There is a danger
here that the auditor goes off on a tangent, gets involved in too much ‘nitty-gritty’ and as a result may
lose focus. This could cause frustration for both the auditor and auditee.
Communication

• Asking Questions
• Listening
• Notetaking
• Behaviour
• Conflict Management
Questions
Who, What, Why, Where, When and How, most questions should open with one of these?

• Combination of open and closed questions

• The six are open-ended questions and do not get a “yes” or “no” reply
• When discussing about documents and records, objective evidence can be requested by,
“Please show me”
• Hypothetical question, “What procedure would you use if there was a non-conforming
product or service?”
• Silent questions, information volunteered due to silence (use sparingly)

Listening
There has been a lot of research into the different ways in which people communicate with each other.
The consensus seems to be that on average words account for only 7% of the message.
Tone of voice accounts for about 13% and a mighty 80% of the message is conveyed through body
language.
Clearly there is a whole lot more to listening than just straight-forward word recognition. Words are
important, but they are only at the surface of what the listener needs to know.
L = Look interested, get involved
I = Involve yourself by responding
S = Stay on target
T = Test your understanding
E = Evaluate the massage
N = Neutralise your feelings
Hearing and Listening
Hearing and listening are not the same thing at all. The key difference is that hearing is done with the
ears, and listening is done with the mind. Ability to hear therefore is a physical attribute whilst ability
to listen is a mental one, and it is important to understand this from the start.
Note-Taking
Taking notes is one obvious method listeners can use to bolster their memory of what is being said.
Excessive notetaking however is distracting and off-putting to the speakers, and it is not especially
useful to the listener either.
Much research has been done into the value of notetaking as a memory jogging technique. The
results seem to indicate that, whilst notes are important, the fewer you make the better. There are
two reasons why:
1. Compulsive note-takers do not have time to make the signals or gestures which tell the
speaker how their message is being received, so the speaker gets little or no feedback
2. Nobody can write as fast as people speak. So, in trying to make detailed notes the listener
gets left behind and will probably miss whole chunks of the speaker’s message because of it
The first and most important rule about notetaking therefore is that notes should be brief and to the
point:

• Keep it short and simple

The second rule is to be:

• Discriminating
Use notes only for the important things, so as an aid to memory.
Some examples of what to record during the audit are outlined next and should be read in conjunction
with the ISO 9001 Auditing Practices Group guidance document available from:
www.iso.org/tc176/ISO9001AuditingPracticesGroup

Audit Trail
Example of what to record during an audit trail.
Activities / Task / Examples of records to keep during the Audit process
element
Personnel • Persons name or employee number
• Notes relating to evidence found during the audit of activities
Equipment • Serial number
• Asset number
• Notes relating to evidence found during the audit of activities
Product • Part number
• Batch number
• Quantities
• Supplier
• Notes relating to evidence found during the audit of activities
Methodology • Document number
• Revision number
• Approvals
• Notes relating to evidence found during the audit of activities
Measurement • Method reference
• Name of Inspector
• Sampling Plan
• Acceptance criteria
• Notes relating to evidence found during the audit of activities
Work • Area visited
environment • Notes relating to evidence found during the audit of activities

Behaviour

In most cases the area being audited is a customer of the auditor. The auditor is providing a service.
Therefore, auditor behaviour should relate to a supplier-customer relationship.
It is also useful to keep in mind that most of the time during an audit, the auditee should be in the
talkative mode. Therefore, anything the auditor can do to facilitate this will tend to make an audit
more successful. The following are some guidelines which could be used:

• Be courteous
• Be composed and resilient
• Be punctual, be aware of time wasting by the auditee.
• Have a good sense of humour
• One-upmanship is not recommended
• Be professional – deal with issues and not personalities
• Discuss problems as they arise, this saves time and avoids seeking clarification later
• When necessary be assertive
• Agree to disagree, don’t argue
Conflict Management

• Calm the situation

• Empathise

• Listen (Do not interrupt)

Audit Sampling
As previously stated, an audit will only consist of a sample.
It has been shown from experience, that a relatively small number of samples is enough to reveal a
major problem.
Depending on the audit objectives, it may be reasonable to select three to five samples, provided no
non-conformities are found. If, however, the sample shows up one or more non-conformities then the
auditor must take further samples or request the auditee to purge the area further to discover the
true extent of the problem.

What Is Adequate Sampling?

There are no mandated statistical or mathematical formula to establish the right number of samples
to be taken during an audit, although reference could be made to ISO 2859 – Acceptable sampling
standard.
Defining the number of samples (e.g. one, five, or even more samples of records for a requirement)
to be taken to confirm compliance to the requirements is not efficient and does not ensure
compliance. It is of course a fact that by increasing the number of samples taken, the auditor has a
greater confidence regarding the actual status of the implementation of the QMS. Adequate sampling
is the sample taken during interviews and record reviews for confidence building that the auditee QMS
is implemented as described and is effective.

Audit Evidence

Audit evidence (that is, records, verified statements of fact or other information relevant to the audit)
should be identified and recorded. If in doubt, give the benefit to the auditee. Audit evidence collected
during an audit will inevitably be only a sample of the information available, since an audit is
conducted during a finite period and with limited resources. There is thus an element of uncertainty
inherent in all audits, and attention of users of the audit conclusions should be drawn to this
uncertainty.
Collected audit evidence needs to be evaluated against the audit criteria (i.e. set of policies procedures
or requirements against which collected audit evidence is compared) to generate the audit findings
defined in ISO 9000 as:

“results of the evaluation of the collected audit evidence against audit criteria”
An audit finding can indicate either conformity or non-conformity with requirements. Audit findings
may be graded in accordance with the audit plan.
Conformities should be summarised to at least indicate locations, functions or requirements audited.
Individual audit findings of conformity should also be documented if within the agreed scope. Non-
conformities should be recorded and supported by audit evidence.
Non-conformities should be reviewed with an appropriate auditee representative to obtain
acknowledgement of the audit evidence. The auditee representative’s acknowledgement indicates
that the audit evidence is accurate, and that the nonconformity is understood.
Every attempt should be made to resolve any divergence of opinion concerning the audit evidence,
and unresolved points should be recorded. Regular meetings may be scheduled with the auditee
and/or client to report progress and findings. For example, meetings may be held for audits that last
longer than a day. Auditor should explain it may not be possible to write and grade observations and
non-conformities until the end of the audit, when the whole of the management system has been
audited and the significance and impact of the problem understood.
Preparing for the Closing Meeting

After all activities have been audited, the audit team should review all their findings to determine
which are to be reported as conforming (strengths) and non-conformances areas for improvement.
Ensure findings are documented in a clear, concise manner and are supported by objective evidence.
Non-conformities should be identified in terms of the specific requirements of the standard or other
related documents against which the audit has been conducted.
Documenting Findings
There are three key elements to documenting findings:
1. State the requirement and where it came from:
“Procedure XYZ states ….”
“ISO 13485 Clause 7.1 states …”
“Management intent is for …”
2. State what you observed
“Two of five employees interviewed did not know the new quality policy”

3. State whether it is a non-compliance, observation or conformance and with what requirement

“Non-conformance for failure to follow the requirements of Procedure XYZ Section
3.1”
“Non-conformance for failure to follow the requirements of ISO 13485 7.1”
If a classification system for non-conformities is being used, non-conformities should be classified at
this stage. Guidance from ISO 9001 Auditing Practices Group is available from:
www.iso.org/tc176/ISO9001AuditingPracticesGroup
Closing Meeting

For 2nd and 3rd party audits, a formal meeting is essential. In a 1 st party audit the meeting can be
shorter, less formal and even somewhat fragmented, but the principle still holds.

• Thank the organisation or area for their help and co-operation.

• Introduce the team and clarify the objective of the audit and the method used
• Report the audit findings, strengths - non-conformities and observations
• Discuss the audit conclusions
• Discuss corrective actions
• Agree corrective action timescales, based on risk
• Indicate when the written report will be available
• In the case of 2nd and 3rd party audits, the auditor would normally indicate whether they are
going to recommend that the company be added to the Approved Vendor Listing (2 nd party)
or recommended for certification/registration (3rd party).
• Indicate the approximate date for the next audit
• A hand-written copy of non-conformities can be given to management at this stage but should
be followed up by a typed version later.
Remember that the audit team will normally have been feeding back information to the auditee during the
audit, so there should be no reason for any surprises at the closing meeting. The Audit Team Leader should
chair the meeting and summarise. However, each team member could introduce the strengths and areas
for improvement that they themselves have identified.
During a 1st party audit it is normal for the management and supervision of the area being audited to be
present at this meeting. In the case of a 2nd and 3rd party audit more senior management would be present.
In relation to giving advice, the auditor may also make recommendations to the auditee for improvements
to the quality system. Recommendations are not binding on the auditee. It is up to the auditee to determine
the extent and means of actions to improve the quality system.
If you have kept people informed on the progress of your findings during the audit, and the information
you present at the closing meeting is detailed and based on objective evidence, there is little scope for
disagreement. However, in the case of a disagreement, rather than leaving an area for improvement
without any auditee management commitment, it may be necessary to obtain a signature on the audit
report on the understanding that it signifies only that the finding claimed is understood, not necessarily
accepted. In this case the date to be filled in is the date by which the manager, having investigated the
claim, will come back with a response.
In the case of a complete impasse it may be necessary to hand the problem over to a higher level. Indeed,
some organisations internal audit procedures specify the steps to be taken in this situation. In the case of
a 3rd party audit, the company has a right to appeal to the management of the certification / registration
body. It is a requirement of accreditation of the certification / registration body that such an appeals
procedure is defined.

9. Audit Report
• Audit Report
• Report Templates
• Audit Report Status Log
Guidance from ISO 9001 Auditing Practices Group; Writing Audit Reports
Include in the Audit Report

• Introduction (purpose, audit objectives, scope, type, criteria, date(s), duration, auditors,
auditees, confidentiality).
• Executive Summary
• Strengths (start with these and in order of priority)
• Areas for Improvement (list in order of priority)
• Timescales for Improvements
Keep the report simple.
The Report is completed in the following manner:

• Auditor completes report up to and including “Non- Conformity”.

• Both company representative and Auditor signs the form.
• The company representative completes the “Corrective Action” and “Action Taken to Prevent
Recurrence” sections.
A similar type report can be prepared where there is no non-conformance, but for example, an
observation made by the auditor which could lead to improvement.
Distributing the Audit Report

The audit report should be issued within an agreed period. If delayed, the reasons should be
communicated to the auditee and the individual(s) managing the audit programme.
The audit report should be dated, reviewed and accepted, as appropriate, in accordance with the audit
programme.
The audit report should then be distributed to the relevant interested parties defined in the audit
programme or audit plan. When distributing the audit report appropriate measures to ensure
confidentiality should be considered.

10. Corrective Actions

• Corrective Action
• Verifying Corrective Action
Corrective Action

Less auditing and more action (improvements) should be the motto. Continual improvement should
be the aim for the internal audit programme Where action has not been taken by the agreed
timeframe, highlight this to management. Have this as part of the audit procedure so nobody is
surprised. Don’t annoy the auditee by continuously following up on outstanding issues.
Follow up on the major issues; minor ones generally take care of themselves.

Review Non-
Detect Non- Report Non- Perform Root
conformity Issue CAR
conformity conformity Cause Analysis
Against Criteria

Verify Record the Implement Evaluate Need

Effectiveness of Results of Corrective for Corrective
Actions Taken Actions Taken Action Action

Verifying Corrective Action

• Make a special return visit (e.g. major problem).

• Have amended documentation sent to you (e.g. minor problem).
• Wait until the next scheduled visit (e.g. minor problem).
Whatever the method for following up on corrective actions, it is advisable to enter all non-
conformances on a company database and to prioritise corrective actions frequently, such as monthly.
It may not always be easy to verify the effectiveness of action. Short-term actions might involve re-
training.
Whereas short-term actions are usually easy to define, the long-term actions may be more difficult to
formulate. When the auditor revisits, it is necessary to seek evidence that the action was successful.
It may be some time before enough data is available on which to base a judgement. If there is any
evidence that a corrective action was not successful, then a new CAR should be raised and cross-
referenced with the previous one. Guidance from ISO 9001 Auditing Practices Group from:
www.iso.org/tc176/ISO9001AuditingPracticesGroup

11. Audit Program Review and Golden Rules

Audit Programme Review and Improvement

The operation of the audit programme needs to be monitored and periodically reviewed to assess
whether objectives have been met. This can be done as part of management review (Clause 5.6 – ISO
13485:2016). Monitoring should be carried out on-going; examples include:

• The ability of the audit team to meet audit objectives

• Conformity with audit programme and schedules
• Feedback from audit client, auditee and auditors
• Observing an auditor
• Interviewing auditors to identify gaps in knowledge
The audit programme review should be carried out to assess its effectiveness and identify
opportunities for its improvement by considering, for example:

• Results and trends from monitoring

• Conformity with procedures
• Evolving needs and expectations of interested parties
• Audit records
• Alternative or new practices
Golden Rules for Auditing

Preparation

• Understand how all processes knit together

• Understand the process to be audited
• Know what the key risks to the process are
• Know the requirements of the relevant standard
• Determine up front what emphasis will be on during the audit
• Effectiveness
• Improvement
• Conformance / Compliance
• Have an audit plan.
• Have a checklist
• If on a team, know what your role is

Audit

• Think “big picture”, don’t get lost in detail

• Check that the PDCA methodology is being applied to all key business processes
• Establish customer (external / internal) satisfaction with the process
• Check that process improvements are where processes are not achieving their KPI’s
• Don’t allow the checklist to take over
• Randomly select (cross section of people, equipment, etc.)
• Don’t just audit documents and records, look at other sources of information
• Take time to examine and study evidence presented to you
• Don’t go looking for fault
• Keep a check on your personal attributes
• Set the right tone

• Keep an open mind

• Listen
• Neutralise your feelings
• Keep notes short and simple
• Use your judgement for interpretation of requirements of standards
Report

• Keep reports factual, short / simple; should reflect what was agreed at the closing meeting.
Corrective Action

• Prioritise for follow-up on corrective actions.

12. Audit Guides and Certification Scheme for Quality

Management System Auditors

Audit Guides
Audit guides are important to ensure the smooth running of an audit. They are particularly relevant
during a 2nd and 3rd party audit. Guides are generally selected from senior or middle management
depending on the size of the organisation. Once audits have become routine, some organisations
allocate this role to less senior management.
Like auditors, guides should be:

• Open-minded
• Mature
• Possess sound judgement
Audit guides should be able to perceive situations in a realistic way to understand complex operations
from a broad perspective and to understand the role of individual units within the overall organisation.

Auditor Certification
This Registration process is similar for the different National Auditor Certification bodies. The one
described here is for IRCA.
In order to be eligible for registration, successful participants should make application to IRCA within
a three-year period from the date of the course (Lead Auditor Only).
IRCA registration is an important qualification which proves that a management system auditor is
highly competent. IRCA registration gives employers confidence that an auditor has the necessary
skills and experience to audit their management systems effectively. Equally, auditors gain
professional recognition and improve their job prospects.
For more details about the benefits of becoming IRCA registered, see www.irca.org

Help Us to Improve Your Experience

Approved Training Partner

We hope you enjoyed your course. As part of our internal assurance process, you will shortly be
contacted by the CQI and IRCA for feedback on the course and your Approved Training Partner (ATP).
If you do not receive the survey within two weeks of finishing your course, please contact your ATP to
ensure they have your correct details on record.
Completing this short survey will help to ensure the continuing high standards of these courses.

The CQI and IRCA offer a range of services to support you throughout your career. For more
information, please visit: www.quality.org

AUDITING / CONSULTANCY / TRAINING

Irish Quality Centre (IQC) is one of Ireland’s leading providers of Training, Consultancy and
Auditing in Quality, Environmental and Health and Safety Management Systems.

Our internationally IRCA-approved Auditor Training courses are delivered across Ireland and
Europe.

We have a team of expert consultants supporting all industries. For more go to www.iqc.ie

Auditing
Having difficulties with your internal or supplier audit programmes? We will
carry out both internal and supplier audits for you focusing on effectiveness of
the systems, compliance, and continuous improvement.

Training
The real value-added obtained from training is having your own quality training
courses customized to suit your specific needs. This is where the IQC tailored
training courses can help organisations who require more than generic off the

Consultancy
Confidence in the advice you receive is of paramount importance to your busi-
ness. IQC is respected for its level of expertise and down to earth approach on
standards such as quality management systems, safety management systems
and environmental management systems.
Internationally approved by IRCA
+353 1 204 0646

[email protected]

WWW.IQC.IE

Software Development Policies and Procedures
No ratings yet
Software Development Policies and Procedures
5 pages
Project Report On Online Leave Management System
50% (4)
Project Report On Online Leave Management System
122 pages
Iso 19731-2017
No ratings yet
Iso 19731-2017
6 pages
ISO 13485-2016 Raga Presentation
100% (1)
ISO 13485-2016 Raga Presentation
17 pages
Risk Manangement For Medical Devices
100% (2)
Risk Manangement For Medical Devices
73 pages
Iso 13485 2016 Bab 4
100% (1)
Iso 13485 2016 Bab 4
131 pages
ISO 17021 Manual Documentation
75% (4)
ISO 17021 Manual Documentation
9 pages
Bsi MD Risk Management For Medical Devices Qa
100% (1)
Bsi MD Risk Management For Medical Devices Qa
10 pages
DRAFT ISO IUMSS Handbook Edition 2 - 31 July 2017 Vers 2
No ratings yet
DRAFT ISO IUMSS Handbook Edition 2 - 31 July 2017 Vers 2
111 pages
2 Student Notes-Tuv Austria Romania-2018
No ratings yet
2 Student Notes-Tuv Austria Romania-2018
42 pages
Asq Presentation Iso 13485
100% (1)
Asq Presentation Iso 13485
48 pages
F211-7 Confidentiality Non-Conflict Interest Agreement
No ratings yet
F211-7 Confidentiality Non-Conflict Interest Agreement
2 pages
03 - Exercises - Participant Handout
100% (1)
03 - Exercises - Participant Handout
33 pages
PQBD44 V 13 SF 11 P
No ratings yet
PQBD44 V 13 SF 11 P
11 pages
Clause Wise Evidences - IMS
100% (2)
Clause Wise Evidences - IMS
15 pages
BSI Conformity Assessment Route
No ratings yet
BSI Conformity Assessment Route
15 pages
02 Slides (Same) - QMS03001ENGX - v5 (AD03) - Feb2020
100% (1)
02 Slides (Same) - QMS03001ENGX - v5 (AD03) - Feb2020
72 pages
Impartiality Control Procedure
No ratings yet
Impartiality Control Procedure
8 pages
Conformity Assessment Standards
No ratings yet
Conformity Assessment Standards
25 pages
ISO 9001 - 2015 Quality Management System
No ratings yet
ISO 9001 - 2015 Quality Management System
21 pages
Iso 9001
No ratings yet
Iso 9001
108 pages
Iso Casco Group
No ratings yet
Iso Casco Group
15 pages
Bsi MD Risk Management For Medical Devices Webinar 131119 Uk en
No ratings yet
Bsi MD Risk Management For Medical Devices Webinar 131119 Uk en
29 pages
Project Plan For ISO 14001:2015 Implementation: Subtitle or Presenter
No ratings yet
Project Plan For ISO 14001:2015 Implementation: Subtitle or Presenter
11 pages
Case Study in ISO 14001
No ratings yet
Case Study in ISO 14001
2 pages
ISO 9001 2015 Awareness Training
100% (1)
ISO 9001 2015 Awareness Training
59 pages
ECPD - DT03 - ISO 13485 - 2016 LA - Day 3 Daily Test
No ratings yet
ECPD - DT03 - ISO 13485 - 2016 LA - Day 3 Daily Test
5 pages
Study - ISO 13485 PDF
No ratings yet
Study - ISO 13485 PDF
15 pages
APIC CEFIC Auditing Guide August 2016 - Annex 2
100% (1)
APIC CEFIC Auditing Guide August 2016 - Annex 2
50 pages
QEHS Manual PDF
No ratings yet
QEHS Manual PDF
113 pages
Training Schedule
0% (1)
Training Schedule
8 pages
Iso 14971 Mastery Guide
No ratings yet
Iso 14971 Mastery Guide
25 pages
2.1 EMS LA Delegate Manual - Clause 8
No ratings yet
2.1 EMS LA Delegate Manual - Clause 8
9 pages
Iso 7101-2023
No ratings yet
Iso 7101-2023
44 pages
Job Description Lead Auditor
No ratings yet
Job Description Lead Auditor
2 pages
Internal Auditor Training
100% (3)
Internal Auditor Training
15 pages
BSI CE Marking Process
No ratings yet
BSI CE Marking Process
4 pages
MDSAP Audit Approach
100% (1)
MDSAP Audit Approach
226 pages
GG Guide To Risk Management
No ratings yet
GG Guide To Risk Management
32 pages
01 Delegate Workbook - QMS03001ENGX - v5 (AD03) - Feb2020
100% (1)
01 Delegate Workbook - QMS03001ENGX - v5 (AD03) - Feb2020
5 pages
Kenya Accreditation Service: Approval and Authorization
100% (1)
Kenya Accreditation Service: Approval and Authorization
18 pages
Initial Certification: Audit Report
No ratings yet
Initial Certification: Audit Report
13 pages
NABCB Quality Manual, Issue 06, Rev.04 - Aug 2017
100% (1)
NABCB Quality Manual, Issue 06, Rev.04 - Aug 2017
29 pages
ISO Doc List
No ratings yet
ISO Doc List
7 pages
(Pub) AdvaMed - Software in Medical Devices - Module 1 Regulations, Guidance, Standards, and Terminology, Planning
100% (1)
(Pub) AdvaMed - Software in Medical Devices - Module 1 Regulations, Guidance, Standards, and Terminology, Planning
54 pages
7.6 Control of Monitoring and Measuring Devices
No ratings yet
7.6 Control of Monitoring and Measuring Devices
2 pages
WHO - Good Practices For Quality Control Laboratories. Part 2
No ratings yet
WHO - Good Practices For Quality Control Laboratories. Part 2
26 pages
Day 1
No ratings yet
Day 1
3 pages
Integrate Management System Internal Auditor Training Notes
No ratings yet
Integrate Management System Internal Auditor Training Notes
9 pages
MS Iso 13485 2017
No ratings yet
MS Iso 13485 2017
21 pages
Chapter 13-Internal Audit Key Competencies
100% (2)
Chapter 13-Internal Audit Key Competencies
14 pages
Internal Audit Checklist Example
100% (1)
Internal Audit Checklist Example
7 pages
Software Validation
No ratings yet
Software Validation
4 pages
Conformity Assessment Guidance ISO IEC DIS 17007
No ratings yet
Conformity Assessment Guidance ISO IEC DIS 17007
23 pages
ISO 17020 KM 07 - 08 09 2015rev4
100% (1)
ISO 17020 KM 07 - 08 09 2015rev4
66 pages
OHSMS - Questions and Answers
No ratings yet
OHSMS - Questions and Answers
17 pages
Iso.37001.slides - Nov 15
No ratings yet
Iso.37001.slides - Nov 15
10 pages
ISO IQA For DDFC by AJMAL29-04-14
No ratings yet
ISO IQA For DDFC by AJMAL29-04-14
52 pages
Q3V Participant Guide Issue 1 2021
No ratings yet
Q3V Participant Guide Issue 1 2021
325 pages
Certified Quality Auditor Training
100% (1)
Certified Quality Auditor Training
19 pages
ISO 9001 (QMS) Lead Auditor Certification Online Training by ACTE
No ratings yet
ISO 9001 (QMS) Lead Auditor Certification Online Training by ACTE
4 pages
2023W-EPM-2193 Week 4 Day8 Unit6 Control Quality-AODA-2
No ratings yet
2023W-EPM-2193 Week 4 Day8 Unit6 Control Quality-AODA-2
35 pages
FoST 2018 Final-Chapter 2
No ratings yet
FoST 2018 Final-Chapter 2
39 pages
Fulltext01 2
No ratings yet
Fulltext01 2
158 pages
Chapter 1. Introduction To Software and Software Engineering
No ratings yet
Chapter 1. Introduction To Software and Software Engineering
21 pages
Assignment 4 - Ergonomics Project - Haleema & Aleezy
No ratings yet
Assignment 4 - Ergonomics Project - Haleema & Aleezy
21 pages
Cs8079 - Hci QB Unit 3
No ratings yet
Cs8079 - Hci QB Unit 3
24 pages
Software Development Life Cycle
No ratings yet
Software Development Life Cycle
3 pages
Ans: Software Engineering: It Is The Process of Designing, Constructing, and Testing
No ratings yet
Ans: Software Engineering: It Is The Process of Designing, Constructing, and Testing
6 pages
Dina Farms Offer
No ratings yet
Dina Farms Offer
25 pages
Project Management - Handout
No ratings yet
Project Management - Handout
96 pages
72992291387
No ratings yet
72992291387
3 pages
Chapter Four
100% (1)
Chapter Four
6 pages
Erp Implementation Life Cycle
No ratings yet
Erp Implementation Life Cycle
24 pages
ELC315202 - Apply Quality Standards
No ratings yet
ELC315202 - Apply Quality Standards
47 pages
Introduction To SQA
No ratings yet
Introduction To SQA
26 pages
Project Management Services For Building Projects
No ratings yet
Project Management Services For Building Projects
7 pages
Aerospace Quality Management Systems
No ratings yet
Aerospace Quality Management Systems
10 pages
Viet Pic Tec Tts Sao l00 74032 e 3a
No ratings yet
Viet Pic Tec Tts Sao l00 74032 e 3a
43 pages
Software Review
No ratings yet
Software Review
15 pages
Choice Based Credit System: Semester Total Credit I
No ratings yet
Choice Based Credit System: Semester Total Credit I
18 pages
Annex 11 Checklist
No ratings yet
Annex 11 Checklist
5 pages
SDLC2023
No ratings yet
SDLC2023
26 pages
User Interface Design Proposal: Prepared by Proposal Valid Until Proposal Version No
No ratings yet
User Interface Design Proposal: Prepared by Proposal Valid Until Proposal Version No
53 pages
M&E Unit 2018 Annual Performance Report
No ratings yet
M&E Unit 2018 Annual Performance Report
13 pages
Hotel Management Project Report Fully Completed
No ratings yet
Hotel Management Project Report Fully Completed
21 pages
Addis Ababa Institute of Technology Center of Information Technology and Scientific Computing Department of Software Engineering
No ratings yet
Addis Ababa Institute of Technology Center of Information Technology and Scientific Computing Department of Software Engineering
37 pages
Functional Requirements of Mobile Application For Fishermen: Conference Paper
No ratings yet
Functional Requirements of Mobile Application For Fishermen: Conference Paper
6 pages
Demo
No ratings yet
Demo
29 pages