ISO 9001 Lead Auditor Delegate Workbook V1 R0.0 2

QMS Auditor/Lead Auditor
Delegate Workbook
Welcome to your CQI and IRCA Certified
ISO 9001:2015 Lead Auditor (Quality Management Systems)
course
LRQA has been independently assessed and approved by the CQI and IRCA. This means they have
the processes and systems in place to deliver certified courses to the highest standard.
About the CQI and IRCA

The CQI is the only chartered professional body dedicated entirely to quality. IRCA is its specialist
division dedicated to management system auditors.
The CQI leads the quality profession and is dedicated to promoting excellence through the key
competencies of Governance, Assurance and Improvement.
We hope you enjoy your course.

Contents
Session 1 - Course Overview ........................................................................................ 6
ISO 19011 Guidelines for Management Systems Auditing .......................................... 9
Skills and Performance Criteria ................................................................................. 11
Session 2 - Verification of Pre-Coursework ............................................................... 15
Session 3 - ISO Purpose and Overview ...................................................................... 16
Session 4 - ISO 9001 Clause Requirements ............................................................... 19
Session 5 - ISO 9001 Clause Requirements ............................................................... 21
Understanding ISO 9001- Exercise............................................................................. 22
Day 1 - Evening Work .................................................................................................. 23
Leadership and Commitment – Examples of Audit Evidence ................................... 24
Session 6 - Audit Roles and Responsibilities ............................................................. 26
Who Does What? – Exercise........................................................................................ 27
Roles and Responsibilities ......................................................................................... 29
Session 7 - Overview of the Audit Process ................................................................. 34
Session 8 - Pre-audit Activities and Scope ................................................................ 38
Session 9 - Stage 1 Audit ............................................................................................ 44
Introduction to the Case Study .................................................................................. 46
Audit Team Brief ......................................................................................................... 47
Case Study 1 – The Organization and its Context ..................................................... 48
ISO 9001 Lead Auditor Delegate Workbook V1 R0.0
3
Case Study 2 – Risk and Opportunity ........................................................................ 51
Day 2 - Evening Work .................................................................................................. 54
Session 9 Continued: Top Management Meetings .................................................... 55
Case Study 3 – Top Management Interview .............................................................. 60
Case Study 4 – Planning the stage 2 audit ................................................................ 63
Stage 1 Audit reporting .............................................................................................. 65
Session 10 - Meetings ................................................................................................. 66
Session 11 - Process Audits ........................................................................................ 69
Structuring a Process Audit Checklist ....................................................................... 74
Checklist for a Process Audit ..................................................................................... 76
Process Audit Checklist Template ............................................................................. 77
Day 3 - Evening Work .................................................................................................. 80
Session 12 - Audit Reporting ...................................................................................... 81
Session 12 Continued: Grading Nonconformities ..................................................... 83
Session 13 - Corrective Action.................................................................................... 86
Exercise: Reviewing Corrective Actions ..................................................................... 88
Session 14 - Audit Skills.............................................................................................. 91
The Interview Funnel ................................................................................................. 94
Session 15 – 6-Stage Approach to Audit .................................................................... 95
Day 4 - Evening Work .................................................................................................. 98
4
Session 15 Continued: Case Study Exercise – CovSec Audit ................................... 100
Session 16 - Consolidation ....................................................................................... 102
The Role of CQI and IRCA in Auditor/Lead Auditor Development .......................... 104
5
Session 1 - Course Overview
Course Objectives
The purpose of this session is to prepare you for the course and give you an opportunity to get to
know tutors and other delegates.
The course concentrates on development of core audit skills that will enable you to perform the
above activities.
Course programme
The course is structured to follow the stages of a typical external audit process.
There will be plenty of opportunity for you to practice your skills at each stage. You will apply
your skills in the audit of the case study organization, and by the end of the course you will have
participated in all parts of this process.
Before the course

Section H of the pre-course pack asked you to identify your personal objectives for the course.
The tutor will ask you to share these at the start of the course.
During the Course

Refer to your personal objectives to help you plan your development throughout the course. If you
feel you are not fully meeting your personal objectives, please speak to the tutor, who will help you
with this. If your personal learning objectives are outside the scope of this course, the tutor may be
able to suggest ways in which you can achieve them.
Each day there will be opportunities for you to practise certain skills. You will receive feedback on
your performance from:
▪ Yourself: how well do you think you did?
▪ Other learners
▪ Tutors
Some of this feedback will be verbal, and some will be written. Written assignments will be
marked by tutors who will let you know your mark and give you feedback as necessary. The
tutors will complete the individual feedback sheet each day and let you look at this each
morning. A copy of the completed form will be given to you at the end of the week.
After the Course

In addition to personal development to fulfil your existing role, you may wish to gain further
recognition of your audit and quality related skills such as Auditor/Lead Auditor Certification.
If you wish to register as an auditor/lead auditor, you will need to provide evidence that you meet
the CQI and IRCA requirements for training and the IRCA requirements for audit experience. This
will be covered in more depth later.
6
Delegate assessment
You will need to complete these elements in order to successfully complete the course:
▪ There are 4 elements to the delegate assessment process:

- Continual assessment of your skills
- Completion of written work assignments
- Monitoring of your attendance
- End of course exam
▪ Meet the formal training requirements of CQI and IRCA. See the final session for further
details
▪ 100% attendance is mandatory
You will need to pass each of these 4 elements in order to successfully complete the course
▪ Auditing
▪ Task management
▪ ISO 9001 application
▪ Client and team management
Each skill group is made up of several skills, and the standards of performance expected of a
competent auditor for each skill are detailed in performance criteria at the end of this section. You
can use these performance criteria to help you identify strengths and weaknesses in your own
performance. Your trainer will observe you during the course, and will give you feedback each day,
using the traffic light system that is described on the Continual Assessment Individual Feedback
Sheet. There will be plenty of opportunities for each delegate to demonstrate each of the skill
groups by the end of the course, and to successfully complete the course you must:
▪ Participate in all activities and exercises

▪ Take a team leader role in a group exercise, or act as a Lead Auditor in one of the 4 audits
▪ Conduct an audit of the case study organization
▪ Attain a green “on track” grade for each of the skills groups before the end of the course
As the course progresses and as you learn more, you will be asked to demonstrate your increasing
levels of knowledge and skills. So, what is expected of you will evolve throughout the course as you
develop and grow. For example, to gain an “on track” grade for auditing on day 4 you will need to
do much more than you did on day 1. What this means for you is that it’s possible that you could
get a green “on track” grade on day 1, and a red “improvement needed” grade for the same skill
on day 3 (or vice versa of course!). Your trainer will use the traffic light system to make it clear for
you what you need to pay attention to. Please speak with the trainer if there is any aspect of your
feedback that you are not clear about.
7
EXAM
The examination will be conducted following the course. The examination will be in four sections
and you must score at least 50% in each section, with a minimum overall score of 70% to pass the
exam.
The exam is designed to test your knowledge, understanding and application of management
systems auditing. The exam questions could relate to any aspect of the pre course document, any
of the topics covered on the course and any of the requirements of ISO 9001.
During the exam you will be able to refer to a clean copy of ISO 9001 (i.e. one that has not been
annotated in any way). The exam is administered verbally, with some supporting written
displayed prompts. Your response will be captured and graded accordingly. Each examination
session is recorded to provide evidence of completion to IRCA, and to provide review and
moderation of tutors.
If you fail the exam, you will be allowed the opportunity to resit that particular part of the exam
that you failed. If you fail any other element of the assessment, you would need to re-take the
whole course.
Your results sent to you.
If you wish to appeal against your assessment or examination results, please contact LRQA.
8
ISO 19011 Guidelines for Management
Systems Auditing
ISO 19011 provides guidelines for quality and environmental management systems auditing,
which can also be applied to any type of management systems audit.
Extract from ISO 19011 Clause 4, ‘Principles of auditing’:

▪ Integrity: the foundation of professionalism
▪ Fair presentation: the obligation to report truthfully and accurately
▪ Due professional care: the application of diligence and judgement in auditing
▪ Confidentiality: security of information
▪ Independence: the basis for the impartiality of the audit and objectivity of the audit
conclusions
▪ Evidence-based approach: the rational method for reaching reliable and reproducible
audit conclusions in a systematic audit process
▪ Risk-based approach: an audit approach that considers risks and opportunities
Content of ISO 19011:

▪ Principles of Auditing
▪ Managing an audit programme
- General
- Establishing the audit programme objectives
- Determining and evaluating audit programme risks and opportunities
- Establishing the audit programme
- Implementing the audit programme
- Monitoring the audit programme
- Reviewing and improving the audit programme
▪ Performing an audit
- General
- Initiating audit
- Preparing audit activities
- Conducting audit activities
- Preparing and distributing audit report
- Completing audit
- Conducting audit follow-up
▪ Competence and evaluation of auditors

- General
- Determining auditor competence
- Establishing auditor evaluation criteria
- Selecting appropriate auditor evaluation method
- Conducting auditor evaluation
- Maintaining and improving auditor competence
9
Auditors should be familiar with ISO 19011 and the IRCA Code of Conduct (or the equivalent). All
auditors who are registered with IRCA are required to comply with the relevant Code of Conduct.
Conformance with ISO 19011 and /or the IRCA Code of Conduct is rarely mandatory for 2nd party
auditors. However, the organization/supplier being audited may require evidence of the auditors'
competence and will expect the audit to be carried out in a professional manner. In this respect
ISO 19011 and the IRCA Code of Conduct may be considered as models of best practice.
This course embraces the guidelines of ISO 19011 throughout and has combined this with LRQA's
vast experience of conducting management system audits.
10
Skills and Performance Criteria
Skill Group Skills Performance Criteria
SKILL GROUP: Auditing
1. Information gathering
▪ Selects appropriate methods
▪ Able to prioritise information
▪ Gathers relevant information
▪ Follows up earlier audit trails
2. Interviewing
▪ Structures interviews
▪ Controls and directs interviews to ensure objectives met
▪ Asks open questions to explore general areas
▪ Asks closed questions to test specific facts
▪ Listens attentively
▪ Tests their understanding of what the auditee says
3. Observation
▪ Notices detail
▪ Is aware of peripheral activities
▪ Is able to link pieces of information
4. Selecting samples
▪ Sample sizes are sufficient to give evidence of conformity, or the scale of any
nonconformity
▪ Samples selected effectively test processes and process interfaces
5. Document search
▪ Assimilates information quickly and accurately
▪ Able to understand relationships between documents
▪ Able to differentiate between important and trivial information
6. Note taking
▪ Records all key items of information
▪ Able to produce accurate, comprehensive audit report from notes
11
7. Analysis of information
▪ Compares information with audit criteria, e.g. Procedures and iso 9001 to identify
conformity or nonconformity
▪ Able to establish links, or lack of them, between pieces of information
▪ Able to understand information in terms of auditee's business
8. Report writing
▪ All relevant information included
▪ Information expressed clearly, factually and concisely
▪ Report is complete - without requiring further verbal explanations
SKILL GROUP: Task Management

9. Time management
▪ Is punctual
▪ Achieves tasks effectively, within deadlines set
▪ Is organised and focused
▪ Adjusts programme to deal effectively with the unexpected
10. Planning and preparation
▪ Identifies objectives for tasks
▪ Selects appropriate means to achieve the task, within the time available.
▪ Able to identify areas of key importance and reflects these in plans
11. Monitoring & reviews
▪ Monitors progress against plans
▪ Identifies need to amend plans in order to achieve objectives
▪ As team leader, is aware of progress of other team members and reviews processes as
agreed
12. Decision making and evaluation
▪ Decisions are based on objective evidence
▪ Significance of issue is evaluated before decisions are made
▪ Decisions are unbiased and relate to requirements of standard
SKILL GROUP: ISO 9001 Knowledge and Application

13. Application relative to the client's organization
▪ Identification of most appropriate clause for specific situations
▪ Apply the standard logically
▪ Relate to the client's organization and industry sector
▪ Apply the standard without personal bias or influences
▪ Able to interpret client's terminology to that of iso 9001
▪ Able to correctly interpret findings to requirements of iso 9001
SKILL GROUP: Client and Team Management

14. Self-presentation
▪ Sounds confident and knowledgeable
▪ Behaves in a way that maintains the reputation of the organization they represent
▪ Appears professional
12
15. Rapport and relationships
▪ Builds rapport and creates an environment of trust and openness
▪ Is always polite and respectful
▪ Friendly and helpful, within the constraints of the relationship
▪ Maintains confidentiality
▪ Is open, direct and non-aggressive
▪ Is non-judgmental and does not apportion blame
▪ Respects the client’s culture and never uses terms that could be seen as offensive
16. Sensitive to auditee business needs and personal needs
▪ Flexible within constraints of completing an effective audit
▪ Demonstrates understanding of auditee's priorities
▪ Able to identify critical processes in order to deliver a value-added audit
▪ Uses auditee's terminology
▪ Able to empathise with auditee
▪ Does not put auditee under undue pressure
▪ Shows patience when appropriate
17. Non-verbal communication
▪ Is receptive to non-verbal signals and in particular can recognise discomfort in auditee
▪ Presents a positive and professional image in their use of non-verbal communications
▪ Makes appropriate eye contact
18. Presentation skills
▪ Information is structured and presented in a logical manner
▪ Explanations are clear, using simple, non-emotive language and avoiding unfamiliar
jargon
▪ Speaks clearly and audibly
19. Feedback skills
▪ Gives information accurately and assertively
▪ Information given at appropriate times, to appropriate people
▪ Feedback to colleagues is constructive and supportive
▪ Will confidently make, present and support decisions, even if the auditee disagrees
20. Conflict management
▪ Listens effectively and calmly
▪ Receptive to new information
▪ Provides clear information that the auditee understands and can benefit from
▪ Makes decisions in support of objective evidence
▪ Describes complaint procedure, if necessary
21. Team leadership
▪ Ensures members of the team work well together
▪ Motivates and supports team members
▪ Receptive to team ideas and suggestions
▪ Approachable
22. Delegation
▪ Allocates tasks to those who are competent to complete them
▪ Makes effective use of team resource
▪ Takes account of preferences of team members, where appropriate
▪ Instructions are clear, specific and understanding is tested
13
23. Intervening within team
▪ Identifies when intervention may be required
▪ Acts as a mediator where inter-personal conflicts arise
▪ Makes decisions
▪ Alters plans to ensure effective audit
▪ Is always fair and objective
24. Coaching team members
▪ Provides constructive feedback
▪ Uses questions to help team members to review own performance
▪ Offers suggestions for improvement
▪ Supportive and tactful
Use this space for your own notes:
14
Session 2 - Verification of Pre-Coursework
This is a small-group exercise. The purpose is to consolidate and develop your learning from the
pre-course work.
Working in your assigned team, prepare a short answer to each of the questions in the handout. All
of the information needed is in your pre-course work and your copy of ISO 9001. Refer to these to
prepare your answers.
15
Session 3 - ISO Purpose and Overview
Purpose of ISO 9001
ISO 9001 is a set of generic requirements that organizations can choose to use as the basis for the
design and implementation of a quality management system. It is intended to be used by an
organization to help develop effective systems for managing quality, particularly where the
organization needs to
“……consistently provide products and services that meet customer and applicable statutory and
regulatory requirements….”
“……enhance customer satisfaction through effective application of the system, including
processes for improvement of the system and the assurance of conformity to... requirements.”
ISO 9001 -Section 1

It is also an auditable standard that is used as the basis for 3rd party certification audits, and the
requirements can also be used as audit criteria for 2nd party supplier audits and 1st party internal
audits.
As an auditor, you will use the auditable requirements of ISO 9001 (which are found in sections 4 -
10 of the standard) as the benchmark against which you will compare audit evidence. You will need
to develop a good working knowledge of the standard, and a sound knowledge of quality
fundamentals and vocabulary found in ISO 9000.
In the pre-course workbook, there is a ‘Guide to ISO 9001 Requirements’ that will serve as a useful
point of reference during this training course. It will help you to consolidate your knowledge of the
purpose and key content of the standard.
Structure of ISO 9001

The standard is broadly modelled around the Plan Do Check Act cycle, in that the requirements
of these different activities tend to be grouped together.
▪ The direction and overall plan are set by top management (sections 4, 5 and 6)
▪ Resources needed to implement the plan are covered in section 7
▪ The “Do” part of the cycle is section 8 which covers operational activities
▪ Section 9 describes the requirements for checking and monitoring progress
▪ Analysing and evaluating data as the basis for making decisions and acting (section 10)
The parts of the standard that form audit criteria are contained in sections 4 - 10.
16
Context of the organization (Plan)
Clauses 4.1 and 4.2 help organizations to identify the variables that could impact on their ability to
carry out their operational activities and achieve their goals. Using this information, organizations
can prepare for a range of eventualities.
Clauses 4.3 and 4.4 ensure that organizations have all of the processes in place that are required
for their management system to work effectively, given the unique characteristics of their
business.
Leadership (Plan)
“People do what their managers pay attention to”. If meeting customer and regulatory
requirements, enhancing customer satisfaction and improvement of systems and processes are
important to top management, these will be the things they pay attention to, and so will get done.
Section 5 describes specific requirements for how top management make their commitment to the
customer and the quality management system, and how they support these commitments in a
practical sense.
Planning (Plan)
This section is all about transforming ideas and words into tangible goals and actions, to ensure
that things get done, and making sure that changes are implemented in a managed and
coordinated way.
Support (Plan)
The purpose of this section is to make sure that all the processes and the people operating them
that are needed for the management system have the resources and support they need to operate
properly; including the tools and equipment, competent people and up to date information.
17
Operation (Do)
This section covers the processes through which your organization provides products and services
for your customers. It’s likely that most of what you do as an organization is covered by the
requirements in this section. Its purpose is to ensure that your operational activities are planned
and controlled systematically, so they work properly and enable you to deliver products and
services that meet customers’ needs and expectations.
Performance evaluation (Check)

To ensure that all the processes in the management system are delivering their intended results,
and that the processes interact effectively in the overall system.
Improvement (Act)
The purpose of this section is to “close the loop”, making sure that improvements identified in
section 9 are implemented, which can be both reactive and proactive, and that improvement
objectives are fed back into plans (section 6).
18
Session 4 - ISO 9001 Clause Requirements
Analysis of clause requirements
Auditors of management systems must be able to interpret and apply the clauses of ISO 9001 in
different situations. Auditors therefore must develop the skill of analysing the requirements of
each clause, to tease out the detailed and specific requirements.
The tutor will guide you through a method for analysing clauses. Use the space below for your
notes.
19
High level overview
Editable version in PPT*
20
Session 5 - ISO 9001 Clause Requirements
Evidence
As an auditor, your job is to gather objective evidence and compare it to the requirements of ISO
9001 to determine conformance.
You can gather objective evidence through a combination of the following:

▪ Reviewing documented information
▪ Interviewing people
▪ Observing activities and processes
Documented information includes policies, plans, procedures, specifications, and contracts etc. –
anything that an organization captures or writes down in order to help it to plan, operate and
control its processes. Most of these types of document focus on future actions, i.e. what will
happen, how the process is intended to work. But is also information about what did happen. In
the latter case it is also referred as record (see ISO 9000:2015, 3.8.10)
As an auditor you will be looking for evidence in the form of records and comparing them to other
documents, to the requirements of ISO 9001 and to establish if what was done is the same as what
was intended.
Related ISO 9001 requirements

As well as examining evidence related directly to the parts of the standard you are auditing, you
should also consider other clauses of ISO 9001 which interface with the clause under review.
Because ISO 9001 describes requirements for a quality management system, in which every
element interrelates with every other element, it can be difficult to know where to stop. Try to focus
on those clauses where there is a direct relationship to the process you are auditing.
For example, if you were auditing the internal audit process (9.2) you would want to look at:
▪ Control of documented information for internal audits (9.2.2f / 7.5.1+2+3)

▪ Who is responsible for undertaking audits (5.3)
▪ How their competence as auditors has been established (7.2)
▪ What information about audits is fed into management review (9.3.2 c6)
▪
21
Understanding ISO 9001- Exercise
Brief
Identify evidence that you would need to gather when auditing ISO 9001 requirements.
Task
For the clause(s) allocated, answer the
following questions:
▪ What is the purpose of the clause?

▪ What records might you expect to see as
evidence of conformance with the
requirement?
▪ What are the main interfacing clauses
that you would need to consider if you
9001
were auditing this requirement?
Output
Make notes for your own reference and be ready to share these with the tutor and your colleagues.
22
Day 1 - Evening Work
The purpose of this is to enable you to consolidate and develop your learning from today and
prepare for tomorrow.
You should spend approximately 1 hour on this. Prepare your answers ready to review at the start
of tomorrow.
Tasks
▪ Familiarise yourself with the “information for students” at the start of the specimen exam
paper
▪ Complete section 1 of the specimen exam paper
▪ You should aim to do this in 20 minutes
▪ List five examples of objective evidence that could be available to demonstrate top
management leadership and commitment. For each example give the applicable ISO
9001 clause(s)
Preparation for day 2

Go to Session 6 in your Workbook and complete the “Who does what?” exercise.
Preparation for case study activities

▪ Go to the Case Study Booklet and Procedures document
▪ Briefly familiarise yourself with the Introduction to the Case Study and Section 1 - CovSec
Ltd
- Company Information
Note: At this time do not attempt to do any more than familiarise yourself with the Introduction
and Section 1.
23
Leadership and Commitment – Examples of
Audit Evidence
ISO 9001 Section 5 – leadership and commitment requirements require consideration during an
audit of a quality management system. The following table lists some examples of audit evidence
that demonstrate either conformity or nonconformity to a selection of requirements defined in
Section 5.
Audit evidence Clause Conforming (C) or nonconforming

(NC)
Top management actively engaged in 5.1.1f C
walking the operation, observing 5.1.1h
working practices, conducting ad hoc 5.1.1i
interviews with staff and offering
feedback concerning QMS conformity
and areas for improvement.
Top management participate in 5.1.1a C
management review. 5.1.1g
24
25
Session 6 - Audit Roles and Responsibilities
There can be a number of different roles involved in an audit, and each person needs to be clear
about their personal responsibilities. The lead auditor also has a responsibility for making sure
that all members of the audit team, and the auditee, are clear about what is expected of them.
This session describes:
▪ Key responsibilities of auditors and lead auditors

▪ Roles and responsibilities of others who may participate in the audit process
26
Who Does What? – Exercise
Brief
An audit has been planned of a medium sized company. The audit will last 3 days and involve a
team of two, a lead auditor and an auditor.
Read through the Roles and Responsibilities information below and answer the following
questions:
1. Who is responsible for checking that the audit team allocated to the audit is suitably
qualified?
2. What preparation would need to be done before the audit activity starts:
a) By the lead auditor?
b) By the auditor?
3. An audit of the Human Resources department has just been completed. The Human
Resources manager asks for some feedback. Who should provide this feedback, and in what
form?
4. Who would grade any nonconformities raised, and at what stage of the audit?
5. How can the possibility for conflict between the audit team and the client be minimised?
27
6. Who has the main responsibility for resolving conflict?
7. Who will make the final recommendation for the outcome of the audit?
8. If the auditor identifies a potential problem, which is linked to but outside the specific area
they are auditing at the time, what should they do?
28
Roles and Responsibilities
Audit teams
Where audit teams are used, they consist of auditors led by a person nominated to be the lead
auditor. These roles and their responsibilities are defined in ISO 19011 and are summarised below.
If one person conducts an audit, then the auditor fulfils both roles.
The lead auditor assumes overall responsibility for the management and conduct of all phases of
the audit.
The lead auditor should have management capabilities and experience and the authority to make
final decisions regarding the conduct of the audit and any audit observations.
The lead audit should be able to discuss strategic issues with top management of the auditee to
determine whether they have considered these issues when evaluating their risks and
opportunities.
The auditor
Carry out audit plan Support
▪ Search for evidence ▪ Lead auditor

▪ Keep within the agreed scope ▪ Team members
▪ Work to the audit plan ▪ Decisions
Communicate Responsibilities
▪ Audit requirements ▪ Exercise objectivity

▪ Findings and nonconformities ▪ Adhere to code of conduct
▪ Problems ▪ Maintain auditee confidentiality
▪ Deviations to audit plan ▪ Act in an ethical manner
Present
▪ Key responsibilities of auditors and

lead auditors
▪ Recommendations for grading
nonconformities
▪ Nonconformities to team and
auditee
29
The lead auditor
Planning Moderating audit findings

▪ Resource requirements ▪ Ensuring consistency and objectivity
▪ Allocation of audit tasks ▪ Grading nonconformities
▪ Audit plan communications ▪ Arbitrating in disputes
Communication Reporting
▪ Team briefings ▪ Progress
▪ Expectations ▪ Findings
▪ Reviews ▪ Problems
▪ Changes to audit plan ▪ Audit recommendations
▪ Audit trails
Management
▪ Task, team and auditee
Planning
The lead auditor is responsible for planning the effective use of resources even when the team is
pre-selected. It is usual that at the first visit, usually the Stage 1 audit planning visit, the lead
auditor confirms as part of contract review that resource allocation is correct.
Determining the external and internal issues, and risks and opportunities that can affect the audit
programme, and implement actions to address them, integrating these actions in all relevant
auditing activities, as appropriate.
Assignment of individual tasks and matching with auditor expertise is the responsibility of the lead
auditor, who will record these in a detailed audit programme covering the duration of the audit.
Any amendments to the programme must be agreed by the lead auditor.
An essential part of the audit is maintaining effective communications within the team and with
the client.
Team briefings are held at the start of the audit and at pre-determined times throughout.
Communication
At the outset the lead auditor briefs the team to communicate relevant information and knowledge
gained prior to the audit. This is the opportunity for the lead auditor to confirm his/her
expectations of the team and its members.
The main mechanism for client communication is the daily review meeting at which the previous
day’s findings are presented and any other issues discussed. This meeting should be relatively
formal but limited on time to allow the audit to progress. Any changes to planned arrangements
may also be agreed at this time.
For the audit to be effective an understanding of audit trails established by one auditor, to be
followed up by another, must be confirmed and actions that are necessary, agreed between the
parties.
30
Maintaining confidentiality
The lead auditor also has a responsibility to ensure that client confidentiality is maintained, and
that no information or data that any of the audit team see or hear during the audit is
communicated inappropriately.
Management
The nature of audits is such that a clearly defined task has to be completed within a prescribed
time through effective use of team resource. The lead auditor is responsible for making sure this
happens and making sure that each member of the audit team performs effectively. Lead auditors
will need to delegate tasks effectively, monitor the progress of the audit and the performance of
the auditors, and provide appropriate coaching, support, feedback and direction to auditors.
Moderating audit findings

For third party audits the client is paying for and expects to receive an audit, which is conducted
professionally, fairly and to consistent standards. Recipients of internal or second party audits
should also be able to expect the same standards.
The lead auditor has an ongoing role within the audit in monitoring the work of each auditor. The
aim is to identify trends in nonconformities and any situations that may affect the successful
completion of the audit.
Prior to the closing meeting, the lead auditor will normally hold a short meeting with the audit
team to review the audit findings. Common trends will be identified (for example, weakness across
the organization in document control systems). Such trends may result in the escalation of
individual minor nonconformities to major nonconformity.
Disagreements may arise within the team on the interpretation of standards in relation to the
clients’ system, and the seriousness of nonconformities. There may also be disagreements
between auditors and the client’s personnel. The professionalism of auditors should help to
prevent such incidents, even though the audit may be a stressful time for people in the client’s
organization. Where such incidents occur, the lead auditor is responsible for arbitrating, by means
of objectively identifying the cause of the problem through listening to both sides of the argument
and proposing an appropriate solution. The lead auditor has ultimate responsibility for making
and justifying all audit decisions, including the raising and grading of nonconformities.
Reporting
Progress, findings and any problems encountered during the audit are reported through the lead
auditor who will normally chair any meeting.
The responsibility for analysing the overall audit findings and making the final recommendations
falls to the lead auditor.
Other Audit Roles
Other people and roles in the audit process can include:
Audit client
This is the organization or person requesting the audit. In the case of an internal audit the audit
client may also be the auditee or the person managing the audit programme. In the case of a
second party audit it would be the customer.
31
The audit client should specify the purpose and objectives of the audit, and the audit plan and
reporting arrangements should be agreed with them. The lead auditor should discuss with the
audit client any problems experienced in following the audit plan or achieving the audit
objectives.
Auditee
The auditee is the organization being audited, so in the case of a first- or third-party audit, the
auditee and the audit client are usually the same.
The auditee needs to cooperate with the audit team in order that the audit objectives can be
achieved, and this would include making information and resources available for the audit,
including appropriate access to people, documents, records etc. The auditee may need to provide
guides for the audit team and ensure appropriate arrangements for safety and security are in
place.
Management representative
This is the person appointed by the auditee organization to liaise with the external auditors.
You can think of this person as the lead auditor’s opposite number because they should be
managing the audit process on behalf of the client. They will be the main point of communication
between the audit team and the client. Normally they will liaise with their colleagues and
coordinate the audit activities, make sure that the right people are available for the audit, and the
evidence needed to determine conformance of the system is made available to the auditor.
Guides
A guide should be provided to each auditor. The primary role of a guide is:
▪ To witness the audit on behalf of the auditee organization
Ideally the guides should:

▪ Know their way physically around the site, and ensure the auditor follows relevant safety
and security procedures
▪ Know “who’s who” and be able to introduce the auditor to the right auditee
▪ Understands the quality management system, and guide the auditor to the most
appropriate sources of evidence
Experts
Where it’s not possible to find a competent auditor with the ability to understand a specialised
process, an expert can be employed to work with the audit team. This would be an independent
person whose role would be to explain technical issues and facilitate the auditor, rather than to
undertake audit activities themselves.
32
Observers
A person who accompanies the audit team, but does not audit is an observer. Observers may by
members of the auditee organization - for example member of the quality team or a newly
appointed internal auditor who observes an external audit in order to gain experience. Or they may
be appointed by a regulator or other interested party, such as an accreditation body observing a
certification body carrying out an audit. Observers must not influence or interfere with the conduct
of an audit in any way.
33
Session 7 - Overview of the Audit Process
Need for audit
Audits are done for a variety of reasons. Quality management system audits may be used to:
▪ Verify conformance to planned arrangements

▪ Identify opportunities for improvement
▪ Assess the effectiveness of quality management systems
▪ Assist with selection and monitoring of suppliers
▪ Verify compliance with contractual requirements
▪ Determine conformity with iso 9001 requirements
A second party or supplier audit is used to help select and monitor suppliers.
A third party or independent audit is used to award certification to a recognised management

system standard.
Pre-audit activities
Gather information about the auditee organization sufficient to make a preliminary determination
of the:
▪ Audit scope and criteria
▪ Resources needed, including duration and auditor expertise
And arrange for an auditor to carry out an on-site Stage 1 – System review and Stage 2 planning
audit.
The initial audit

ISO 17021 requires that the initial certification audit of a management system be carried out in two
stages, Stage 1 and Stage 2.
This practice may also be reflected by organizations conducting second party, supplier audits,
where the Stage 1 audit is often performed as a remote review of the documented system.
34
Stage 1 audit
The purpose of the Stage 1 audit is to:
▪ Better understand the organization, its context, the products and services it provides,
interested parties and their requirements including customer and applicable statutory
and regulatory requirements
▪ Confirm the audit scope
▪ Review the quality management system to confirm it is designed to:
- Enable the organization to manage all those aspects of it business necessary to
consistently provide products and services that meet customer and applicable
statutory and regulatory requirement
- Conform to requirements of the audit criteria e.g. ISO 9001
▪ Determine the state of readiness for the Stage 2 audit

▪ Confirm the resources needed for the Stage 2 audit
▪ Develop a plan for the Stage 2 audit, including the sequence of audit activities and
assigning audit activities to audit team members
▪ Plan and organise the logistics for the Stage 2 audit, including travelling time,
accommodation and other auditing needs as appropriate
For a certification audit it is normal practice to also:

▪ Meet with a representative of top management to find out about the business, the
organization and to discuss the quality policy and objectives of the organization, top
management involvement in the quality management system and their related
leadership activities
▪ Conduct a preliminary evaluation of the management review and internal audit
processes to help determine the state of readiness for the stage 2 audit
35
Stage 2 audit
The purpose of the Stage 2 audit is to gather evidence and evaluate:
▪ The implementation of the defined management system
▪ The effectiveness of the management system in achieving the organization’s quality
policy and objectives and meeting customer and applicable statutory and regulatory
requirements
▪ Conformity with audit criteria requirements
During a Stage 2 audit for a third party audit the audit team will:
▪ Conduct an opening meeting
▪ Follow up on any findings from the Stage 1 audit
▪ Complete the Stage 2 audit following the plan prepared at the Stage 1 audit
▪ Conduct daily review meetings with the auditee organization to discuss findings and
progress.
▪ Complete and present a written audit report
▪ Conduct a closing meeting and present the recommendation of the audit team
Recommendation
In a third-party audit for certification purposes the audit team leader will make a recommendation
on behalf of the audit team. The recommendation will be either award certification or defer
certification until satisfactory corrective action has been taken to address audit findings. An
independent reviewer will make the decision to award certification after examining the results of
the audit. This is done to ensure the impartiality of the audit team.
Similarly, in a third-party audit for supplier approval purposes it is normally the case that the audit
team leader will make a recommendation and another person in the purchasing organization will
take the decision to award, or not award, a contract to the auditee organization. However, in some
cases the audit team leader may be given the responsibility and authority to take this decision.
Subsequent activities
Normally, once an organization has been awarded certification, or a contract, periodic audits are
carried to monitor ongoing conformance. These surveillance audits normally evaluate how the
organization is maintaining and improving the management system through the use of internal
audit, risk management, corrective and preventive action and management review. The auditor
will also evaluate any areas of concern or change. After three years a certificate renewal audit is
carried out, which is similar to the original Stage 2 audit in purpose and duration.
36
Audit Cycle
37
Session 8 - Pre-audit Activities and Scope
The starting point for any audit is to understand the type, purpose and boundaries (scope) of the
audit and then gather information to enable you to plan the audit.
Audit types and purpose

First, second and third-party audits; these terms describe the relationship the auditor has with the
organization being audited.
▪ First party or internal audit is the term used when the auditor works for the organization
being audited. First party audits are used for internal purposes. The person managing the
audit programme will decide the scope of the audit
▪ Second party or supplier audit is the term used when the auditor works for the client
buying from the auditee. Second party audits are used to help select and monitor
suppliers. The audit client will decide the scope of the audit
▪ Third party or independent audit is the term used when the auditor works for an
independent auditing organization. For example, those carrying out certification audits.
The auditee organization may include all of its products within the audit. Or it may want
to limit the audit to a selected range. The independent audit body will audit all applicable
parts of the organizations quality management system and evaluate conformance with
all applicable requirements of ISO 9001
38
Pre-audit activities
Gather information about the auditee organization sufficient to make a preliminary determination
of the:
▪ Audit scope and criteria
▪ Resources needed, including duration and auditor expertise
Information (as applicable) To determine:

The basis of the QMS including: Audit Scope and
▪ The range of products and services offered to customers criteria
and controlled under the QMS Products and services
▪ The auditable standard(s) used as the basis for the design being offered under
of the QMS the control of the
▪ Contract requirements (second party) management system
▪ Product standards, claims made for the products and the requirements
The size of the organization including: against which audit
▪ Number of people evidence will be
▪ Number of sites and locations evaluated.
▪ Layouts and size of sites Resources needed
▪ Organizational structure Number of auditors,
▪ Key processes/activities expertise and duration
▪ Language and culture of the audit.
▪ Seasonality of products and services
This information can be gathered remotely, by visiting the organization or a combination of both.
A visit to the organization has the benefits of:
▪ Developing a face-to-face relationship
▪ Provides an opportunity to meet top management and other managers
▪ Better understanding of the scale of the operation
Audit scopes
Scope is a term used to define the extent or boundaries of something. For example:
▪ The scope of ISO 9001, described in section 1 of the Standard
▪ The documented scope of the quality management system (clause 4.3)
▪ The audit scope, which ISO 19011 defines as “the extent or boundaries of an audit”
▪ The second party approval or third-party certification scope, which defines the products
and services and locations covered by the approval or certification
Normally, for second party and third party audits the starting point for developing the audit scope
is to clearly define the approval or certification scope.
39
For example:
Design and delivery of QMS Auditor/Lead Auditor courses through a global network of LRQA's
Training offices.
A useful method for determining a scope is M.A.P
M= Main activity i.e. what the organization is principally offering its

customers, e.g. design and manufacture of timber outdoor
products.
A= Additional activities i.e. what the organization may also offer to customers, e.g.
sale of floral display products.
P= Product i.e. claims or Regulations may be quoted as appropriate,

standards e.g. treated in accordance with BS 8417, class 4, 15-year
service life.
The following scope demonstrates appropriate application of M.A.P.
Manufacture of flame arrestors to BS7244 for use in pipelines of bore diameters 0.5cm to 20cm,
which convey inflammable or explosive gases. Technical advice on the application of flame
arrestors.
The certification scope will appear on the certificate. The certification scope may also appear in a
register of certificated organizations on the internet.
For a first party audit, the scope of the audit may be the process(es) and possibly locations to be
audited, for example “recruitment and induction processes in the Southern region”. Depending on
the purpose of the audit, first party audit scopes can be very varied; some may focus on a very
narrow area but look in depth; others may be very broad and encompass a whole series of
interacting processes.
Developing a scope
▪ Using what you have learnt from reading about CovSec

▪ In breakout rooms
▪ Devise a scope statement (using M.A.P.) for CovSec
40
41
Audit criteria
The term audit criteria is defined as “sets of policies, procedures or requirements used as a
reference against which objective evidence is compared” (ISO 19011).
For a first party audit this could include policies, procedures, objectives or goals, specifications,
customer requirements, regulatory requirements etc., in fact anything that acts as a control over
a process. Any one audit may cover one or a whole range of audit criteria.
For a second party audit the contract is usually one of the main criteria, and ISO 9001 or elements
of ISO 9001 may also be covered.
For a third-party audit of a quality management system the criteria would typically be ISO 9001.
Once the scope and criteria for the audit are defined, the audit plan can be considered, to ensure
that all applicable processes and locations are covered. The plan will include the sequence of audit
activities and assigning audit activities to audit team members.
Resource needs
Resource considerations are mainly time and expertise:
▪ Expertise to ensure the audit is effective
▪ Time to ensure the audit objectives can be achieved
Collectively, the audit team needs to have the competence to fulfil the requirements of the audit,
including:
▪ Generic auditing skills and competence
▪ Discipline specific competence relating to the audit standard (e.g., quality management,
health and safety, environmental etc.)
▪ Understanding of the organization’s context, including legal and contractual
requirements relevant to the industry sector
▪ Technical knowledge to ensure that all processes within the scope can be audited
effectively
▪ Knowledge of risk management, project and process management, and of information
and communications technologies may be considered
In a complex audit, the audit team may be comprised of auditors with a range of expertise – not all
of the team members need to have all of the competences required, provided that overall the team
does.
Factors that may affect the audit duration:

▪ Complexity of the organization (i.e. The number of processes, locations,
products/services, shifts covered by the audit)
▪ Audit scope (a wide scope will result in a longer audit)
▪ Audit standard (all clauses of the standard will need to be covered)
Third-party audit organizations use guidelines to determine audit duration. The duration quoted
is based on the number of employees in the organization.
42
For example:
Audit duration (days)

Number of employees
Stage 1 Stage 2
1 - 10 1 1
11 - 25 1 2
26–45 2 2
46 - 65 2 3
66 - 85 2 4
86 - 125 2 5
It is necessary to identify the number of auditors and the specific requirements for skills, expertise
within the industry sector and special knowledge of technical or other processes that are needed.
Accreditation bodies require certification bodies to have systems that ensure the audit team is
competent to carry out the audit. This means the team must have sufficient understanding of the
industry and the products and processes within the audit scope.
The audit team will need to have expertise in the relevant discipline e.g. quality, environmental,
health and safety, as well as specific expertise in the industry sector, e.g. automotive, retail,
aerospace, public services etc.
43
Session 9 - Stage 1 Audit
In Session 7 – Overview of the audit process, the two-stage approach to audit was outlined as
follows:
▪ Stage 1 audit – System review and Stage 2 planning
▪ Stage 2 audit – System implementation
Purpose of the stage 1 audit

For a certification audit the focus of the Stage 1 activities is on evaluating the design of the
organization’s quality management system.
Specifically:
▪ Evaluating the organizations determination of external and internal issues relevant to its
purpose and strategic direction and that affect its ability to achieve the intended results
of its quality management system (ISO 9001:2015 clause 4.1)
▪ Evaluating the organization’s determination of relevant interested parties and their
relevant requirements (ISO 9001:2015 clause 4.2)
▪ Evaluating the organization’s determination of the scope of the quality management
system, determination of processes needed and their application of the process
approach (ISO 9001:2015 clause 4.3 and clause 4.4)
▪ Evaluating the organizations determination of risks and opportunities that need to be
addressed, planning of actions to address these risks and opportunities, integrating
planned actions into the quality management system processes and planning how to
evaluate the effectiveness of these actions (ISO 9001:2015 clause 6.1)
In addition, a Stage 1 certification audit normally includes a determination of the organization’s

state of readiness for the Stage 2 audit. This is done by:
▪ Interviewing one or more members of top management to discuss the organization, its
business context and goals from their standpoint
▪ Reviewing the quality policy and objectives, top management involvement in the quality
management system and their related leadership activities
▪ Conducting a preliminary evaluation of the management review and internal audit
processes and the organizations adoption of the process approach
For a second party audit the focus of the Stage 1 audit may be targeted more on the specific needs
of the buying organization. For example, the Stage 1 audit may seek to establish that:
▪ The organization’s strategic direction is compatible with the second party

▪ The second party’s needs and expectations have been fully and accurately determined
▪ Consideration has been given to the effect of external and internal issues on the second
party’s requirements
▪ Risks and opportunities relevant to the second party’s requirements have been
determined
▪ The organization can demonstrate it has the process capability to meet their
requirements, including applicable statutory and regulatory requirements
44
▪ Internal audits are not identifying issues that could adversely impact on conformity to
their requirements and that the organization has an effective corrective action process
etc.
The Stage 1 audit is usually carried out on-site by the lead auditor.
Alternative approaches
It may not always be feasible to conduct an on-site Stage 1 audit as a separate activity from the
main audit. An alternative approach, often used in second party audits, would be to ask the auditee
to send relevant management system documented information to the audit team for remote
review. Other aspects of the Stage 1 audit may be covered by other communication means, which
may include email, phone or video calls and conferences as required. On some occasions the Stage
1 and Stage 2 audits may be carried out during a single visit as two consecutive activities.
45
Introduction to the Case Study
Welcome to the LRQA's QMS Auditor/Lead Auditor case study.
The case study is designed to enable delegates to apply knowledge of ISO 9001 and apply and
develop audit skills, including aspects of planning, conducting and reporting the audit. Using case
study materials, you will audit a quality management system against the requirements of ISO
9001. The case study is used throughout the course.
The two main case study activities are:

▪ Perform a Stage 1 system review and Stage 2 planning audit
▪ Perform a Stage 2 system implementation audit
Case study activities comprise a number of tasks, for example evaluating documented
information, preparing checklists and working documents, conducting interviews etc. For each
case study there is a task brief setting out what needs to be done. Case study activities are
connected, and information will need to be carried forward from one case study activity to the
next. For example, you will be given information during the stage 1 audit that you will be expected
to follow up during the Stage 2 audits.
▪ Gather and evaluate information about the organisation and its context
▪ Gather and evaluate information about risks and opportunities
▪ Consolidate case study findings, prepare an on-site audit plan
Stage 1 system review and Stage 2 planning audit

There are four linked case study activities.
▪ Prepare an audit plan
▪ Prepare individual audits
▪ Conduct the audit
▪ Report the audit
Perform part of a Stage 2 system implementation audit

As a team, you will audit up to 5 of CovSec’s processes, which are:
▪ Sales
▪ Purchasing
▪ Management Review
▪ Training
▪ Alarm Installation
46
Audit Team Brief
You have been assigned to carry out an audit of CovSec’s recently implemented quality
management system against the requirements of ISO 9001:2015.
The audit comprises a Stage 1 system review and Stage 2 system implementation audits.
Audit scope:
The scope of CovSec’s quality management system takes in the organization’s activities of:
“Design, manufacture and installation of electronic intruder alarms systems. Provision of:
▪ 24-hour alarm monitoring and response service,

▪ 24-hour repair service and,
▪ Preventive maintenance, for CovSec Ltd supplied alarm systems.”
Audit criteria:
ISO 9001:2015 requirements apply. There are no exclusions.
Audit objectives:
Examine and evaluate the design and implementation of CovSec Ltd’s quality management
system and determine conformity and nonconformity to the requirements of ISO 9001:2015.
Audit reporting:
Interim reports as specified in case study task briefs.
On completion of the Stage 2 audit, prepare a summary report that includes:
▪ A recommendation for approval, or deferral of approval, to ISO 9001:2015

▪ Nonconformity reports where audit evidence demonstrates ISO 9001:2015 requirements
have not been met
▪ Where additional audit evidence is needed to determine conformity, a report of what
evidence needs to be gathered, likely sources of the evidence and how it could be
gathered
47
Case Study 1 – The Organization and its
Context
Here you will concentrate on how CovSec Ltd has addressed the following ISO 9001 requirements:
▪ Clause 4.1 Understanding the organization and its context

▪ Clause 4.2 Understanding the needs and expectations of interested parties
This is a small-group exercise.
Task brief:
Gather and evaluate information about the organization and its context. Tutor to provide timings
for this task.
Materials
▪ CovSec Company Information and Procedures
- The Organization and its Context Supporting Material
Process
Review the new information provided in the CovSec Ltd Business Review, which comprises:
▪ Executive summary
▪ SWOT
▪ Stakeholder analysis
Using the information provided in the CovSec Company Information and CovSec Ltd Business
Review:
1. Find out the purpose and strategic direction of the organization

2. Consider the organization’s determination of external and internal issues
3. Consider the organization’s determination of relevant interested parties and their needs
4. Evaluate conformity with ISO 9001 clause 4.1 and clause 4.2 requirements
5. Identify audit trails that need to be followed through to later parts of the audit
Output
Using the template provided at the end of this case study, prepare a brief summary of your findings
and any planned follow up activities.
Be prepared, as a group, to give a brief verbal presentation of the key points of your findings.
48
Task Reporting Template
1. The purpose and strategic direction of the organization.
▪ Has the organization determined it purpose and strategic direction?
2. Determination of external and internal issues.

▪ Has the organization determined external and internal issues relevant to its purpose and
strategic direction?
▪ Is the organization monitoring and reviewing information about external and internal
issues?
▪ Are there any obvious omissions or gaps in the issues, as determined by the
organization?
3. Determination of relevant interested parties and their relevant requirements.

▪ Has the organization determined interested parties and their requirements that are
relevant to the QMS?
▪ Is the organization monitoring and reviewing information about these interested parties
and their relevant requirements?
▪ Are there any obvious omissions or gaps in the interested parties and their relevant
requirements, as determined by the organization?
49
4. Conformity with ISO 9001 clause 4.1 and clause 4.2 requirements.
Has conformity, or nonconformity, with the requirements of clause 4.1 and clause 4.2
requirements been established? If not yet, what more audit evidence is needed?
5. Audit trails that need to be followed through to later parts of the audit.
Use the space below to record audit trails you want to follow through to later parts of the case
study.
50
Case Study 2 – Risk and Opportunity
Here you will concentrate on how CovSec Ltd has addressed the following ISO 9001 requirements:
▪ Clause 6.1. Actions to Address Risks and Opportunities.
Tutor to provide timings for this small-group exercise.
Task brief:
Gather and evaluate information about CovSec’s:
▪ Determination and evaluation of risks and opportunities

▪ Planning of actions to address risks and opportunities
Materials
- Risks and Opportunities Supporting Content
▪ Output of Case study 1
Process
Review the new information provided, which comprises:
▪ Risk and Opportunities Review

▪ Opportunities log
▪ Risks log
▪ Narrative – Interview with the Quality Manager
Using the new information provided in conjunction with earlier case study materials and findings:
1. Consider the risks and opportunities as determined by the organization. Evaluate the extent
to which these address the external and internal issues and the requirements of relevant
interested parties.
2. Consider the actions planned by the organization. Evaluate the extent to which these address
the risks and opportunities.
3. Evaluate conformity with ISO 9001 clause 6.1.1 and clause 6.1.2 requirements.
4. Identify audit trails that need to be followed through to later parts of the audit.
Output
Using the template provided at the end of this case study, prepare a brief summary of your findings
and any planned follow up activities.
Be prepared, as a group, to give a brief verbal presentation of the key points of your findings.
51
Task Reporting Template
1. Determination of risks and opportunities.
Has the organization established an approach to determination of risks and opportunities?
2. Evaluation of risks and opportunities, as determined by the organization.

▪ Has the organization determined risks and opportunities that need to be addressed?
▪ Do the risks and opportunities address the external and internal issues and requirements of
relevant interested parties? (Refer to Case study 1 – Context of the organization)?
Are there any obvious omissions or gaps in the risks and opportunities, as determined by the
organization?
3. Actions to address risks and opportunities.

▪ Has the organization planned actions to address risks and opportunities?
▪ Has the organization planned how it will integrate the actions into the QMS?
Has the organization planned how it will evaluate the effectiveness of the actions?
52
4. Conformity with ISO 9001 clause 6.1.1 and clause 6.1.2 requirements.
Has conformity, or nonconformity, with the requirements of clause 6.1.1 and clause 6.1.2
requirements been established? If not yet, what more audit evidence is needed?
5. Audit trails that need to be followed through to later parts of the audit.
Use the space below to record audit trails you want to follow through to later parts of the case
study.
53
The purpose of this is to enable you to consolidate and develop your learning from today and
prepare for tomorrow. You should spend approximately 1 hour on this. Prepare your answers ready
to review at the start of tomorrow.
Tasks
▪ Complete section 2 of the specimen exam paper. You should aim to do this in 30 minutes
▪ Create a list of 10 checkpoints that can be used as a guide in an audit of continual
improvement processes (10.3); outlining the audit evidence you would want to gather.
For each example give the applicable ISO 9001 clause(s)
54
Session 9 Continued: Top Management
Meetings
Interviewing top management
Gathering information during a Stage 1 audit will most likely involve a combination of interviewing
people and reviewing documented information. Unlike its predecessors, ISO 9001:2015 does not
require organizations to establish and maintain a quality manual and documented procedures,
nor does it require formal risk assessment methods and risk registers. Therefore, the extent to
which information has been documented will largely be down to the organization to determine,
considering its context and requirements other than ISO 9001:2015. For example, statutory and
regulatory requirements, customer and contract requirements etc.
It is quite likely that during the Stage 1 audit much of the information about external and internal
issues, stakeholder requirements and risks and opportunities will be presented by top
management in the form of verbal information.
Discussions with top management will also need to address those top management tasks that
cannot be delegated and must be undertaken by top management.
Purpose of the interview

In summary, the purpose will be to:
▪ Corroborate and explore information gained from other sources – for example from
business plans
▪ Understand the roles and responsibilities of individual members of top management and
determine which members of top management the auditor(s) will want to meet and
interview further, and for what purpose
▪ Learn about their involvement in the QMS and their leadership activities
▪ Understand the issues they face, risks and opportunities
▪ Look to identify top management’s view of the QMS and its effectiveness
▪ Explore how effectively the QMS is aligned to their requirements
▪ Establish credibility of the team
▪ Build rapport and engage with top management
▪ Get top management to buy into the audit process
▪ Report back on issues of importance to top management
The list above shows some of the objectives for an interview with top management, there will be
others.
55
Brief
Following the brief given to you by the tutor, look to identify:
▪ Opportunities and risks for the audit team that the meeting with top management
presents
▪ The things and behaviours the auditor(s) will need to get right to achieve a successful
outcome from the meeting
(Make your own notes using the template below).
Opportunities for the audit team Risks to the audit team
Success factors/behaviours Failure factors/behaviours
56
Planning the Stage 2 audit
By definition, an audit plan is the “description of the activities and arrangements for an audit” (ISO
9000:2015).
Consider the following when producing the audit plan.

▪ Risk-based approach to planning
Planning for the audit should consider risks and opportunities for achieving audit
objectives.
▪ Audit objectives
The audit plan must be capable of fulfilling the audit objectives.
▪ Audit criteria and any reference documents
All applicable elements of the audit criteria should be verified during the audit. The
audit criteria may include ISO 9001, statutory and regulatory requirements, contract
requirements and requirements of the organizations QMS documentation.
▪ Audit scope, including details of those processes to be audited

All relevant processes within the audit scope need to be audited in sufficient depth. If
key processes are not covered the audit will fail to fulfil its objectives. The plan will
invariably detail the dates and places where the on-site activities are to be conducted.
All key locations and departments etc. need to be covered. A location map is useful to
ensure that everything is covered, although where a multiple site organization conducts
exactly the same activities from a number of sites, it may be possible to sample sites.
▪ Time and duration of on-site activities, including meetings with key personnel
Do not waste time auditing inappropriate activities or excess travelling, meetings etc.
▪ Audit methods
Traditionally audit activity is carried out on-site, and involves a combination of
observation, analysis, sampling of records, and interviewing and discussing processes
and systems with people.
However, with improvements in communication technology, and increasingly paperless

systems, it is more possible to complete some aspects of audits either remotely, and / or
without human interaction. The table below is adapted from ISO 19011:2018.
57
Extent of
Location of auditor
involvement
between auditor
On site Remote
and auditee
Human ▪ Conducting Via interactive communication means:
interaction interviews ▪ Conducting interviews
▪ Completing ▪ observing work performed with
checklists and remote guide
questionnaires ▪ Completing checklists and
with auditee questionnaires
participation ▪ Conducting document review with
▪ Sampling auditee participation
No human ▪ Conducting ▪ Conducting document review

interaction document reviews ▪ Sampling of records and data held
(including records electronically
and data analysis) ▪ Analysis of data
▪ Observing work ▪ Observing work performed via
performed surveillance means (subject to social
▪ Touring the site and legal requirements)
▪ Completing
checklists
▪ Sampling (e.g.
products)
▪ Roles and responsibilities of the audit team members and accompanying personnel
Assign each team member responsibility for auditing specific processes, functions, sites,
areas or activities. Assign these based on their independence and competence, and to ensure
effective use of resources. The audit team will comprise of one lead auditor, auditor(s) and
possibly technical expert(s). In addition, auditors undergoing training may also be present.
Technical experts and auditors undergoing training work with a competent auditor
throughout the audit, not alone. The audit plan may also need to indicate which auditee
personnel are required.
▪ Allocation of appropriate resources

Travel time may have to be detailed, for example when off-site activities need to be audited,
or when travelling between sites. If necessary, transport and accommodation arrangements
may have to be incorporated in the audit plan. If auditing overseas it may be necessary to
arrange a translator. Meeting facilities and communication media may also need to be
needed.
▪ Communications
Include time for communication in the audit plan. This may be difficult when the audit team
is at different sites. Try to bring the team together for opening and closing meetings. An
opportunity to review progress in some form should be made every day, for example by
phone.
58
▪ Audit trails
Take account of process flows, information flows and material flows. Where possible
sequence audit activities to follow these flows to facilitate development of effective audit
trails.
The audit plan should cover or reference the following:

▪ The audit objectives
▪ The audit scope - what the audit includes and excludes, if appropriate
▪ The audit criteria and any reference documents
▪ The timetable – start and finish times and dates, what locations and activities are to be
audited and when, and the sequence of audit activity
▪ Timings for key meetings in the audit – opening, review meetings and closing meeting
▪ The audit methods to be used, including sampling
▪ The roles and responsibilities of the audit team members, as well as guides and observers
▪ Reporting arrangements, including confidentiality, reporting language etc.
59
Case Study 3 – Top Management Interview
In this part of the case study you have an opportunity to discuss aspects of CovSec’s business with
any member of top management; i.e. the Managing Director and SMT.
You are seeking to:
▪ Understand the organization, its business context and goals from their standpoint
▪ Get your interviewee to explain, expand upon or verify information you have gained
▪ Establish top managements involved in and committed to the management system
▪ Gather information to support your previous evaluations and follow through to the Stage
2 audit
This is a small-group exercise.
Task brief:
Prepare for and conduct an interview with top management.
Interview subject
The tutor will assign each group one of the following subject areas, which will be the basis for your
discussions with top management.
▪ Context of the organization

▪ Risks and opportunities
▪ Leadership and commitment
Process
▪ Nominate a team leader to manage the task of preparing for the interview
▪ For your subject area, select only one or two quite specific issues that you can discuss
with top management in the time available
▪ Decide what you want to get from the interview and write this down
▪ Prepare a documented aide to guide you through the interview
▪ Agree who will lead the interview and who will make notes of any findings
Time available
The time available will be communicated by the tutor.
The interview
The tutor will play the part of top management. Their focus will be on engaging with the auditor
and responding realistically and appropriately to the auditor.
60
Tutor to provide timings for your interview and you must not over-run.
Interview output
Information to support the planning and conduct of the Stage 2 audit.
Observers
Follow the interviews and use the review sheet on the following page.
61
Agree Criteria Disagree
The auditor(s) introduced the purpose and scope of the interview and built
rapport with the manager.
The auditor(s) used business language naturally, and the language of the
organization.
The auditor(s) used open questions and explored the answers given.
The auditor(s) listened actively and engaged with the manager.
The auditor(s) challenged the manager, with rapport and raised issues as
necessary.
The interview was well structured and easy to follow.
The interview achieved its stated purpose.
The auditor(s) introduced the purpose and scope of the interview and built
rapport with the manager.
The auditor(s) used business language naturally, and the language of the
organization.
The auditor(s) used open questions and explored the answers given.
The auditor(s) listened actively and engaged with the manager.
The auditor(s) challenged the manager, with rapport and raised issues as
necessary.
The interview was well structured and easy to follow.
The interview achieved its stated purpose.
62
Case Study 4 – Planning the stage 2 audit
Task
Revise an audit plan for the CovSec Stage 2 audit.
Materials
▪ Audit brief
▪ Findings from Case study 1, Case study 2 and Case study 3
▪ Draft CovSec Stage 2 on-site audit plan
Process
Nominate a team leader to manage the task.
Review the draft on-site audit plan.
Critique the draft on-site audit plan in light of your knowledge of CovSec’s quality management
system and your findings from earlier case studies.
Consider:
▪ Does the plan cover all of the processes of the management system relevant to the scope
of the QMS and the scope of the audit?
▪ Does the distribution of time reflect the significance of the process including applicable
risks and opportunities?
▪ Does the audit plan enable effective audit trails to be established and followed?
▪ Is the allocation of time to auditing compared to other activities such as reporting
appropriate?
As necessary, amend the draft plan or develop an alternative.
Output
A plan for the CovSec Stage 2 on-site audit. Be prepared, as a group, to give a brief verbal
presentation of the key points of your findings and the basis for your plan.
Time available
Tutor to provide timings for this case study activity Draft CovSec Stage 2 on-site audit plan.
63
Based on the size and complexity of the organization it has been determined that the audit
duration will be four days. A team of two auditors will carry out the audit, i.e. one lead auditor and
one auditor for two days.
The draft audit plan is based on provisional information gathered before the Stage 1 audit.
Day 1
Duration Lead auditor Auditor
30 min. Opening meeting Opening meeting
60 min. Design Sales
60 min. Product development Production engineering
60 min. Control of documents and records Production planning
Break
60 min. Purchasing Manufacturing
60 min. Stores Inspection and calibration
30 min. Team review meeting Team review meeting
30 min. Client meeting – Report day 1 findings Client meeting – Report day 1 findings
30 min. Day 1 report preparation Day 1 report preparation
Day 2
30 min. Client meeting – Present day 1 report Client meeting – Present day 1 report
30 min. Travel to site Travel to site
60 min. Site visit – New installation Site visit – Preventive maintenance
60 min. Site visit - Repair
Break
60 min. Performance evaluation Internal audit
60 min. Management review Training
30 min. Team review meeting Team review meeting
30 min. Client meeting – Report day 2 findings Client meeting – Report day 2 findings
30 min. Final report preparation Final report preparation
30 min. Closing meeting Closing meeting
64
Stage 1 Audit reporting
Following a Stage 1 audit the Lead Auditor writes and issues a report. The report should record:
▪ Documents reviewed
▪ Conformity – elements of the documented system that conform to the audit criteria
▪ Nonconforming – elements of the documented system that do not conform to the audit
criteria
▪ Findings from discussions with top management
▪ A recommendation to proceed with, or postpone, the Stage 2 audit based on the auditor’s
evaluation of the maturity of the system
▪ A detailed plan for the Stage 2 audit
Make notes for your own reference and be ready to share these with the tutor and your colleagues
65
Session 10 - Meetings
Meetings are the main mechanism for communication during an audit, both with the client and
with the team.
Different meetings have different objectives and will be attended by different people. However, all
meetings need to be well managed if they are to achieve their purpose and give confidence to the
auditees that the audit is being conducted competently. The Lead Auditor will generally chair
meetings, but other members of the audit team may contribute.
The opening meeting

Purpose is to: Who should be invited to attend:
▪ Formally start the audit ▪ Top management or their

▪ Create a positive impression of the representatives
audit team ▪ Guides
▪ Introduce the audit process and ▪ Managers who will be involved during
explain what will happen the audit
▪ Explain how findings will be agreed ▪ Others chosen by auditee
and reported organization.
▪ Manage expectations ▪ Audit team members
▪ Answer relevant questions from the For multi-site audits, there may be a first
auditees opening meeting at the main location and
others at sites visited during the audit.
Team briefings
The lead auditor will: Who should be invited to attend:
▪ Explain the purpose and background to the ▪ Audit team members

audit This meeting may be done in part or
▪ Tell team members what they know about completely before the opening
the auditee organization meeting. Or it may be done
▪ Brief team members on the Stage 1 audit immediately after the opening
findings and the background to the audit meeting. It may be a virtual meeting
plan using email, telephone, video
▪ Agree arrangements for later review conferencing as appropriate.
meetings and communication throughout
the audit
▪ Manage expectations
▪ Ask and answer questions to facilitate a
common understanding of what’s needed
to conduct an effective audit
66
Team review meetings
▪ Report progress against the audit ▪ Audit team members

plan This meeting may be a virtual meeting using
▪ Communicate audit findings within email, telephone, video conferencing as
the team appropriate.
▪ Identify common findings and
trends
▪ Discuss and agree provisional
grading of nonconformities
▪ Communicate areas of concern
needing further investigation
▪ Communicate audit trails needing
follow up by members of the team
Interim meetings
▪ Report back to the auditee ▪ Managers, (auditees) of the areas

organization progress against the or activities audited.
audit plan. ▪ Audit team members.
▪ Communicate interim findings to For multi-site audits, there may be interim
the auditees. meeting at the main location and others at
▪ Communicate any areas of concern sites visited during the audit. Site specific
needing further investigation. findings may be reported to a representative of
the site. The Lead auditor will manage the
▪ Resolve any issues arising from
consolidation of site-specific findings into the
interim findings or areas of concern
final report and overall outcome of the audit.
presented by the audit team.
▪ Ask and answer questions to
facilitate a clear understanding by
the auditee organization of progress
and findings.
Normally, before the closing meeting an interim meeting is held to present the findings from the final day.
After this meeting the lead auditor will then finalise the grade of any nonconformity and determine the
overall outcome and recommendation of the audit team.
67
The closing meeting
▪ Present a summary of findings and ▪ Top management

the overall outcome and ▪ Managers who were involved
recommendation of the audit team during the audit
▪ Issue the written audit report ▪ Others chosen by auditee
▪ Agree subsequent actions, for organization
example corrective action plans and ▪ Audit team members
follow up audits
▪ Answer questions sufficient to
ensure the auditee organization is
clear on the outcome of the audit,
its impact on certification, or their
status as an approved supplier, and
any actions they need to take
▪ Formally close the audit
68
Session 11 - Process Audits
ISO 9001 Process approach
ISO 9001 promotes the use of a process approach to developing, implementing and improving the
effectiveness of a quality management system. For an organization to function effectively it has to
determine and manage numerous linked activities.
By definition a process is a “set of interrelated or interacting activities that use inputs to deliver an
intended result”. The output of one process often becomes the input to the next. So, an effective
process is one where the output meets requirements of the next process, and so on to the end of
the process chain. The final output should meet customer and applicable statutory and regulatory
requirements.
The advantage of the process approach is the ongoing control that it provides over the linkage
between individual processes within the system of processes.
Process model
It is useful to be able to represent a process using a simple model. The IDEF0 Process model is one
way of doing this.
Controls
Controls or constraints
Inputs applied to the process
Outputs
or output, e.g. company
Materials or information
pricing and discount The result of
that is changed in some
policy transforming the input,
way to become the
e.g. a quotation to the
output, e.g. customer
customer
enquiry
Resources to enable the process to

be carried out, e.g. sales person and
database
When preparing for an audit, auditors can use the input, resources, controls and output framework
to help develop understanding of a process. This can be especially useful when there is no
document that describes the way the process is managed.
69
Process audits
A process audit evaluates the effectiveness of a management system. To do this, auditors need to
evaluate conformance with planned arrangements and also the effectiveness of these
arrangements.
To put it simply “Do we follow the planned arrangements? When we do, do they work?
Controls
Procedures, competence requirements, infrastructure

and environment, product acceptance criteria,
statutory and regulatory requirements, ISO 9001
Inputs process specific requirements
Materials and consumable
resources, data and information
Outputs
Product – conforming,
Resources
nonconformity product,
People, equipment (tools and records, by-service and
systems, information waste
Intended results
Achievement of planned results,

customer satisfaction, statutory and
regulatory compliance, energy policy
and objectives fulfilled
Mapped around the process model above are many of the ISO 9001 requirements that auditors
should consider when planning a process audit.
An evaluation of conformance with planned arrangements requires auditors to:
▪ Gather evidence that the planned inputs, resources and controls are being applied and
result in the output planned
An evaluation of the achievement of intended results (i.e. effectiveness of the process) requires
auditors to:
▪ Gather evidence that the output(s) of the process are meeting requirements, including
the quality policy and objectives of the organization
70
Planning a process audit
The objective of the planning phase is to:
▪ Develop a preliminary understanding of the process and applicable audit criteria
▪ Develop a strategy for gathering audit evidence to use to evaluate conformance with the
audit criteria
▪ Develop working documents, for example checklists, sampling plans and forms for
recording audit evidence and findings
This involves:
▪ Identifying applicable ISO 9001 requirements
▪ Identifying applicable quality management system requirements. For example,
requirements identified by the organization when determining actions to address risks
and opportunities, quality objectives, interested parties’ requirements, statutory and
regulatory requirements, and requirements defined in documented information
▪ Deciding what audit evidence needs to be gathered, and how to do this
▪ Preparing a checklist to use as a guide and point of reference during the audit
As you commit the content and requirements of ISO 9001 to memory the need to include ISO 9001
requirements in a checklist diminishes. However even the most experienced auditor needs to
develop a strategy and working documents to help gather audit evidence to evaluate conformance
with the requirements of the organization’s quality management system.
Risks and opportunities

Here are some examples of questions you might ask the process owner when considering risks and
opportunities.
▪ What risks and / or opportunities have been identified for this process?
▪ What other risks might exist?
▪ What actions have been identified as necessary to address these risks / opportunities?
▪ Have / how have these actions been integrated into the process?
- Check any documented information e.g. procedures, specifications, checks or
inspection requirements
- Check for evidence that these actions have been implemented as part of the
process
▪ What communication or training has taken place on the actions needed to address risks
and opportunities?
▪ How has the effectiveness of the actions been evaluated?
▪ Check for evidence and data to establish that risks have been avoided and opportunities
realised
▪ If the actions are not effective, what further actions have been identified?
71
Monitoring and measurement
Here are some examples of questions you might ask the process owner when considering
monitoring and measurement arrangements.
▪ How do you monitor and or measure this process?
▪ How do these measures reflect:
- The quality policy?
- Higher level quality objectives?
- Customer requirements and feedback?
- Relevant requirements of other stakeholders?
- Related risks and opportunities?
▪ What improvements are you trying to make to this process?
▪ Who collects and analyses these data? When / how?
▪ What are the results? View data and compare with goals
▪ What actions have you identified as a result of reviewing this information?
▪ Sample documented information about the nature of nonconformances and actions
taken
- Check for evidence that these actions have been implemented view
documented information of the results of the actions
- If the actions are not effective, what further actions have been identified?
Checklists
Your checklist should assist you in structuring the audit and guiding you to the audit evidence that
you need in order to fulfil the audit scope and objectives. It may include the audit criteria and
related evidence, including processes you will observe, people you will interview and the questions
you will ask, and the records and documents you wish to see. Use the checklist as a guide to refer
to as necessary, not a script to follow blindly.
The choice of format is a personal thing. What it looks like is not important; but it is important that
it helps you to perform an effective audit. A few example formats are shown below.
Portrait Landscape
Flowchart
Mind map Others
72
Sampling plan
A sampling plan is a plan outlining how to gather the evidence you intend to look at during the
audit in order to determine conformance with the audit criteria. Remember, you are seeking
evidence of conformance, so will need to gather sufficient evidence to be confident that all
elements of the criteria are met.
A sampling plan might include an indication of:
▪ The range of records and documents that will be examined, e.g. “purchase documents
for the last twelve months and supplier records for the last two years”
▪ Personnel who may be interviewed
▪ Numbers of records to be viewed, e.g. “sample five project files including an xxx project
and an ABC project”. Where it is possible to determine the size of a population before an
audit you may be able to determine the proportion of records or examples you wish to
view. For example, if a sales office processes two hundred orders per month, you might
decide to examine a minimum of two randomly selected orders for each of the last six
months
The sampling plan could be included in the audit checklist or may be a separate document to be
used in conjunction with the audit checklist.
73
Structuring a Process Audit Checklist
Structure the checklist to guide you through the audit as follows:
Process overview
For this part of the checklist, focus on gaining a general understanding of the process, its role in
the QMS, suppliers, customers, process owner.
Editable version in PPT*
Process evaluation
For this part of the checklist, focus on gathering evidence of conformity with the main ISO 9001
process specific requirements and any additional requirements the organization specify in their
management system.
Process effectiveness (i.e. achievement of intended results)

For this part of the checklist, focus on what the process is intended to achieve. What ISO 9001
expects to happen as a result of the process? What the organization wants to achieve from the
process (actions to address risks and opportunities, quality objectives)?
Recommendation
Start by developing the “Process evaluation” part of the checklist. Then complete the other
sections to fill in the remaining information.
74
75
Checklist for a Process Audit CHECKLIST FOR A
1. Controls PROCESS AUDIT
▪ How is the process defined?
▪ Who is responsible for the process, and how is their responsibility and authority
defined?
▪ What statutory and regulatory requirements apply? 2. Outputs
▪ What are the customer requirements, and how are these defined?
▪ What are the product/service specifications, and how are these defined? ▪ What is the product or service produced by
▪ What objectives and performance indicators apply to this process? this process?
▪ What action plans concerning risks and opportunities apply to this process? ▪ Are product measures in place to ensure that
▪ What monitoring and measurements apply to this process? product meets requirements?
▪ What acceptance criteria exist? ▪ Verify process monitoring and measurement
evidence
3. Inputs 2.1 Process ▪ Are product and process acceptance criteria
▪ What triggers the process? achieved?
▪ What are the process steps? ▪ Verify process and product analysis and
▪ What inputs are required? ▪ What happens at each process step?
- Information evaluation evidence
▪ What documents and/or records are generated? ▪ What feedback is received from internal or
- Materials ▪ Is the process implemented as described in procedures,
▪ Where do the inputs come external customers of the process?
instructions or plans?
from? ▪ Are controls applied as described?
▪ Are they received in a ▪ Have the activities been carried out by the responsible 1. Intended results / Effectiveness Checks
timely manner? people?
▪ Are they fit for purpose? ▪ What is the purpose of the process?
1.1 Resources ▪ How does it impact on:
- The customer?
Equipment and environment: - Downstream processes and
▪ What equipment and resources are required to activities?
complete the process? ▪ Is there evidence that quality objectives and
▪ Is equipment suitable and maintained? indicators affected by this process are being
▪ Is the environment suitable and maintained? achieved?
People: ▪ Where will the impact of the effectiveness of
▪ What are the competence requirements for the the process be felt?
ISO 9001 – LA Delegate Workbook ▪ Where might failures of this process be
activities?
V1 R0.0 identified?
▪ Is there evidence that people are competent
and suitably trained?
Process Audit Checklist Template
Task
Produce a checklist to guide you through a process audit of CovSec’s internal audit process.
To complete the task, you will need to identify relevant requirements from ISO 9001, and from
CovSec’s Internal Audit procedure.
You need to identify 2 checkpoints each for inputs, outputs, controls, resources and
effectiveness.
We have given an example of an input to help you focus and be clear about the level of detail
needed- and you need to identify 2 further input checkpoints.
At least 2 of your 10 checkpoints need to relate to CovSec specific requirements for internal
audit.
Process Audit Checklist Example
This checklist is based on the question in the IRCA specimen exam paper that asks you to produce
a checklist of 10 audit checkpoints for audit of the final product testing laboratory of an injection
moulding company.
Inputs
Question/Check Evidence Requirement

(quote the requirement and the source)
Sample product awaiting testing
How is the sample to be tested The implementation of
and compare with any test
selected? measurement activities (8.5.1 f)
procedures or specifications.
Sample product awaiting test for
How the sample to be tested is The organisation shall identify the
evidence of appropriate
identified? product (8.5.2)
identification.
77
Outputs
Question/Check Evidence Requirement
Evidence of conformity with
Sample test records and compare
How are test results recorded? acceptance criteria shall be
with acceptance criteria.
maintained (8.6 / 7.5.3.2)
Sample test records for evidence
Who is authorised to release Records shall indicate person
of release authority; compare
product? authorizing release of product (8.6)
with job description.
Sample tested product for
evidence that its identification
How is tested product identified? Identify product status (8.5.2)
correctly records its inspection
status.
Look for evidence e.g. of a
How product that fails testing is quarantine area. Check that Identify and control product that
identified and controlled? passed and failed product is does not conform (8.7)
separated and clearly identified.
Controls
Requirement
Question/Check Evidence
Documents needed for effective

Are there any documented Check that any documents are
planning, operation and control of
procedures, specifications or work appropriately controlled, and look
processes (8.1)
instructions for final product for evidence that the process
Availability of documented
testing? conforms to the requirements.
information as necessary (8.5.1 a)
How are samples preserved during Check samples and compare with Preserve the product during internal
the testing process? any specified arrangements. processing (8.5.4)
What are the criteria / specifications Compare test specs with test Monitor and measure characteristics
for the test? records. of the product (8.5.1 f)
What product acceptance criteria
Compare design outputs with Design outputs shall reference
were identified as part of the design
inspection and test specifications. product acceptance criteria (8.3.5)
process?
What objectives or targets apply to Sample evidence of monitoring of Monitor and measure processes
this process? objectives and process measures. (4.4.1 c)
78
Resources
Requirement
Question/Check Evidence
Check that appropriate human

resources, infrastructure and work
What resources are needed for Determine and provide the resources
environment are available to
product inspection? needed (7.1)
complete the required product
testing, on time.
Who is involved in final product
testing? Sample job descriptions for staff
Responsibilities shall be defined (5.3)
How are their responsibilities involved in the process.
and authorities defined?
Sample records of competence for
What competence requirements
staff in the laboratory. Compare with
have been identified for
competence requirements, job Personnel shall be competent (7.2)
laboratory staff and how have
descriptions, and the work you have
those requirements been met?
observed them undertaking.
What special conditions apply to Check how any requirements for e.g., Determine and manage the work
the laboratory environment? temperature, cleanliness etc are met. environment (7.1.4)
Check equipment and compare with
What measuring equipment is Determine provide ... process
test specification - is it capable of
used? equipment. (7.1.3)
measuring what it needs to measure?
Compare maintenance records with
How is equipment maintained? Maintain... process equipment (7.1.3)
plans.
Sample calibration records for
equipment observed in use and Measurement equipment shall be
How is equipment calibrated?
compare with test and calibration calibrated (7.1.5.2)
specs.
Intended results/Effectiveness
Requirement
Question/Check Evidence (quote the requirement and the
source)
What are you trying to achieve
through this process and how is Sample data and compare with Monitor and measure processes (4.4.1
the performance of the process targets and objectives. / 8.1)
monitored
Where planned results are not
What do you do if targets are not Look for evidence of corrective action
achieved, take corrective action
achieved? plans if targets are not achieved.
(10.2.1)
Look for evidence of downstream
problems with the product including
Does product ever get released customer complaints, returns,
Identify and control nonconforming
that does not meet the test warranty claims etc.
product (8.7.1)
criteria? Is the final inspection process
effective in identifying if product is fit
for purpose?
79
There are two parts to the evening work.
Case study: CovSec Internal Audit
Task
Undertake an audit of CovSec’s Internal Audit process, using the Case Study Information and
Procedures document. The purpose of this activity is to practice applying your skills of sampling,
document search and note taking.
Process
Plan your sample, based on:
▪ The audit checklist you prepared earlier

▪ The report available
▪ What you have found out about CovSec and processes that you think may be particularly
important, or where you think there may be issues
Adopt a systematic approach to reviewing your sample.

Make notes of evidence on the following pages.
Spend no more than 45 minutes on this activity.
Output
After 45 minutes, you should be able to:
▪ Make a decision about the conformance of the process to ISO 9001

▪ Identify any major nonconformities with CovSec’s internal audit process
▪ Describe any minor nonconformities or inconsistencies you found in the sample you
looked at (with specific examples and evidence)
▪ Identify questions or queries you would want to check out with the process owner
Be prepared to share this information with the rest of the group on the morning of day four
80
Session 12 - Audit Reporting
Audit reporting and nonconformities
Purpose of the audit report

If an audit is handled well it should be a helpful process in its own right. However, in many
instances, the real value from the audit comes from the actions that take place after the audit and
particularly the corrective actions and improvements that result from the audit.
The purpose of the audit report is to record the audit findings and act as a catalyst for action. A
concise, clearly written audit report with specific examples and relevant, business related
explanations will support the auditee in implementing value adding improvements.
It is common practice to record findings that require action, i.e., nonconformities, in a separate
part of the report, such as a findings log or on separate templates. This enables the auditee to very
quickly see where action is needed, and also helps the auditor and the auditee to monitor progress
easily.
This section follows the following structure:
▪ Writing and grading of nonconformity reports

▪ Additional content for the audit report
▪ Conducting closing meetings
Nonconformities
Remember, the definition of nonconformity is “non-fulfilment of a requirement” (ISO 9000).
So, you must be able to identify a specific requirement that has not been met before you can raise
a nonconformity report.
The requirement could be in any of the audit criteria, and could be:
▪ An ISO 9001 requirement

▪ A customer requirement
▪ A statutory or regulatory requirement
▪ A requirement of the organization’s own Quality Management System, such as a policy, a
procedure etc.
Note: The term nonconformity is the correct term to use when describing a non-fulfilment of a
specified requirement relating to a management system standard. The term non-compliance
should not be used in the same context as this relates to deficiencies in meeting regulatory or legal
requirements.
81
82
Session 12 Continued: Grading
Nonconformities
Many audit systems require auditors to grade nonconformities to indicate the severity of the
problem found. The grade of the nonconformity may have a significant impact upon the
conclusion of the audit.
Most audit systems will have two main grades of nonconformity, typically “major” and “minor”.
The terms used may vary from one organization to another and some audit systems have more
than two grades. As an auditor you need to familiarise yourself with the specific procedures you
will work to.
Implications of the nonconformity grades

Third party audit: One or more major nonconformities would prevent the auditor recommending
certification. Where the organization already has a certificated management system, a major
nonconformity represents the first step in the process to withdrawal of certification.
One or more minor nonconformities would not prevent the auditor recommending certification,
provided that the auditee provides an acceptable plan for corrective action before the certification
decision is made; where the organization already has a certificated management system, minor
nonconformities will be followed up by the auditor at the next scheduled visit.
Second party audit: One or more major nonconformities may impact the customers’ decision to
use the organization as an approved supplier or may impact the scope or nature of the contract
awarded.
First party audits: Different grades are often linked to escalation levels, so that the problems found
are given appropriate priority and are brought to the attention of appropriate levels of
management.
Examples:
Before allocating a grade to a nonconformity report you need to consider:
▪ Is there a system capable of satisfying the audit standard, e.g. ISO 9001 or customer
requirement (second party)?
▪ Where there is a system, but it is not complete, how significant is the gap?
▪ Where there is a system in operation, to what extent has implementation broken down?
▪ What risk to the customer arises from the nonconformity?
Where several minor nonconformities have been raised from different parts of the organization but
all relate to the same issue these can be grouped together. If their collective impact constitutes a
major nonconformity then one, major nonconformity should be raised.
83
Writing nonconformities
The nonconformity report will be read by many people, most of whom will not have been at the
original audit. Also, it may be read many months after it was written. Consequently, it’s important
that nonconformity reports are self-explanatory, clear and factual. They also need to be easily
understood and concise; keep the information on the nonconformity report to a minimum and
record any detailed explanations and background in the main body of the audit report if
necessary.
Nonconformity reports must be based on objective evidence, i.e. real tangible evidence that the
auditee can verify. You should ensure that the report will enable the auditee to precisely identify
the problem and take corrective action.
Include the following information:
Audit report: additional content
Verbal audit reporting

Remember that the written report is only one element of the audit reporting process, and that
meetings and verbal feedback throughout the process is also important.
When presenting nonconformity reports the findings should be presented clearly and concisely.
Be sensitive and empathetic and deliver the message directly and assertively.
A well-written nonconformity that references the evidence and scale of the problem will normally
need little further explanation. The decision on the grade given to the nonconformity rests with
the lead auditor and you should not enter into negotiation on the grade with the auditee. However,
if there has been a genuine misunderstanding and the auditee is able to present additional
evidence that has been overlooked then you should be prepared to re-evaluate the situation. For
this reason, it is usual that nonconformity reports are presented and agreed with the auditee
organization before the final report is compiled and prior to the closing meeting.
Closing meeting
The closing meeting should present the audit result in a clear manner and should not introduce
any new data.
All nonconformities should have already been presented to the client and accepted before the
meeting.
Do not be afraid of giving bad news, i.e. when recommendation for approval cannot be made.
However, do be courteous and tactful. Always try to make the client aware of the audit result
informally before the meeting, as this limits surprises.
Try to limit interaction and keep the content of the data presentation to an overview, rather than
detail of particular nonconformity reports.
Invite questions but limit these to the content of the meeting.
84
85
Session 13 - Corrective Action
Corrective action and follow-up
Corrective action
To complete the cycle of any audit, whether first, second or third party, the auditee will need to
take corrective action to eliminate the root cause of the nonconformity and prevent it from
recurring.
Whilst you as the auditor should seek to determine the root cause of any problem it will not always
be practical or possible to do so. Time constraints and complex problems may make it necessary
for the auditee’s organization to continue the investigation after completion of the audit. ISO 9001
Clause 10.2.1 is quite clear on what needs to happen to resolve the nonconformity. In most cases
this is the responsibility of the auditee.
Responsibilities for corrective action

In the case of third party audits the auditor must not give consultancy to help solve the problem,
as this would jeopardise the impartiality and independence of the audit. Auditors may however
direct the auditee towards public domain information that could help them to determine a
suitable solution for their business.
In the case of second party audits the auditor’s organization may agree with the auditee what
corrective action would be appropriate, and in some instances may impose certain corrective
action requirements. There is no hard and fast rule for this; it is dependent upon the
customer/supplier relationship.
Follow up activities
The primary role of the auditor is to verify that corrective action has been taken and that the action
taken has been effective in eliminating the root cause of the problem.
Auditors can do this through a combination of:
▪ Reviewing corrective action plans (and in the case of a certification audit, such action
plans must be submitted before the decision to recommend certification can be made)
▪ Remote review of evidence such as procedures and records, to show what actions have
been taken and their effectiveness
▪ Follow up audit to re-test the system and ensure that the problem has been prevented
from recurring
As the auditor closing out a nonconformity report, remember that in making the decision to close
the issue, you are indicating that you are confident that the corrective action taken will prevent
the problem from happening again.
In all cases there needs to be sufficient time between the initial audit and verification activities.
Time is required to allow for a full investigation of the problem, identification of a cost-effective
solution, implementation of the solution, generation of evidence and records and verification by
the auditee organization that the solution has been effective.
86
87
Exercise: Reviewing Corrective Actions
On the following pages there are two nonconformity reports. The reports identify the nature of the
issue found by the auditor and the corrective action that the auditee organization is claiming to
have taken.
Review each report and consider the following:

▪ Does the response from the auditee organization demonstrate that ISO 9001 clause 10.2.1
has been applied?
▪ What evidence would you gather to test the effectiveness of the corrective action taken?
▪ Would you close out the nonconformity on the basis of the information given?
Report 1
NONCONFORMITY REPORT
Company Name Report Number 08/XX/01
Note Number
CovSec
Area under review ISO 9001:2015:
Purchasing Clause Number
8.4.3
Grade (* delete one) MAJOR* MINOR*
From a sample of 20 purchase orders sampled none had been authorised by

the Procurement Manager as required by QP04 Rev A.
Personnel performing the verification activity of purchase orders did not have
defined and documented authority to do so.
Corrective Action (response from auditee):
All the purchase orders above have now been countersigned by the
Procurement Manager.
Auditor : Date :
88
Notes for nonconformity report number 1.
Report 2
NONCONFORMITY REPORT
Company Name Report Number 08/XX/02
Note Number
CovSec
Area under review ISO 9001:2015:
Control Centre Clause Number
10.2.1
Grade (* delete one) MAJOR* MINOR*
A review of the current control centre log showed that the entry for Nutcrackers
15/5/XX and Expen 18/5/XX had not been actioned within 4 hours as required
by the Quality Policy (12 entries on the log).
There was no evidence of any investigation or corrective action to detect and
eliminate the cause of the delay.
Corrective Action (response from auditee):
Investigation into the problem identified that in both cases road works and
traffic jams had prevented response within 4 hours.
The nearest engineers had been contacted. No other engineer was available.
Continue to monitor response time. No action proposed at this time
Auditor : Date :
89
Notes for nonconformity report number 2.
Surveillance audits
▪ For third party and many second party audits, a successful initial audit will be followed
by periodic surveillance visits
▪ The purpose of the surveillance is to ensure that the audit criteria continue to be met
▪ It is common practise to plan each surveillance visit at the preceding audit or surveillance
visit
▪ The surveillance plan is typically included in the formal report and referred to at the
closing meeting. In this way the surveillance visit can be planned to follow-up on minor
nonconformities and concentrate on areas where potential improvements have been
identified
▪ Second party audit organizations may have company specific procedures for periodic
surveillance visits, which could include reviewing the results of continuous improvement
programmes
▪ Surveillance visits will usually re-test critical management system elements such as
management review, internal audits, corrective actions and continual improvement, and
also sample some operational processes
90
Session 14 - Audit Skills
Interviewing
You will use a range of skills during the audit interview, including:
Building rapport
▪ Take time to explain who you are, why you are there and what you’re going to do
▪ Be interested in the person you are talking to and their work
▪ If they seem tense, try to relax them – make small talk if you think this will help
▪ Match the person – if they appear to be in a hurry, then get to the point. If they speak
slowly and methodically, then match this. Use the same language and terminology
Asking questions
▪ Use open questions – that start with “how”, “what”, “who”, “why”, “when”, “where”
▪ Start with very broad questions that allow the person to tell you what’s important for
them, then narrow down your questions to get to more specific facts
Listening
▪ Be attentive – if you are busy thinking what to ask next, you are not listening properly.
▪ Probe what the interviewee tells you for more information
▪ Summarise your understanding back to the interviewee to check that you have
understood correctly
Body language
▪ We are communicating constantly through our body language
▪ Pay attention to the messages you are giving through your posture and mannerisms
▪ Be aware of your interviewee’s body language and what it is telling you
▪ Keep body language relaxed and open
▪ If the interviewee is sitting, then sit; if they are standing, then stand
Observation
▪ Observe processes being carried out where possible and see if what happens in practice
matches what was planned. Check if different people have a different way of doing
something, does this matter?
▪ Notice what is going on around you – use your peripheral vision and hearing
▪ Look at notice boards and information points
91
Sampling
Management system audits are based on the principle of sampling. This means that if we look at a
representative sample, we can be reasonably confident that what is true of the sample will be true
of the whole population.
If we audit processes systematically, selecting representative samples and looking for evidence of
conformance, we can be confident that we will find any major nonconformities that exist in the
system. We may or may not find all the minor nonconformities, but our job is not to look for
nonconformity.
Sampling - records
▪ Random
▪ Statistical
▪ Percentage
▪ Targeted
▪ Timebound
▪ Value based
▪ Product based
▪ Risk based
In management systems auditing, sampling is an art rather than a science. Here are some tips:
▪ Always look at more than one example
▪ When you feel confident that what you have seen conforms to the criteria, move on
▪ Increase your sample if you find a problem, to establish the extent and significance of the
problem
▪ Link your samples through audit trails, so that you can properly evaluate processes and
process interfaces
Considerations for sampling:

Large volumes of data Appear daunting but are not usually difficult to assess
Do not just “hunt for nonconformity” and then move
Sampling for confidence
on
Concentrate on key processes and all the applicable
Criticality of processes
aspects of ISO 9001
Avoid quoting percentages Can give a false impression
92
Note taking
The notes you take during the audit will be used to create the audit report, including any
nonconformities. You need to make sure that you record in your notes all the information you will
need in order to do this.
You will also need to note down information to help you complete the audit effectively, for example
any audit trails you want to follow.
Underline the text you believe to be key as part of this audit:
▪ "It was seen in the painting area, that for contract No 2358, yellow paint was being used
when the drawing 127845 rev 2 required white paint to Spec 45 to be used. The paint shop
manager said that the customer, Axis Machinery Plc had given a concession for an
equivalent specification yellow paint to be used because no white paint was available"
▪ "It was found in the painting area that drawing 127845 rev 2 was being used when the
contract, No 2358 required manufacture in accordance with drawing 127845 rev 3"
▪ "Samples taken in the Sales office included an order from Axis Machinery Plc, order No
48967/A for 6 off drive heads, item No 347854, complete order to be despatched to
Boston. Order amendment received changing the requirement to 5 off drive heads No
347854 to be despatched to Boston and two off drive heads No 347855 to be despatched
to Washington."
93
The Interview Funnel
Start with a broad, open questions then make them more specific and you drill into the detail. You might need to ask one or two closed questions
at the end to pinpoint specific facts.
▪ What does your role involve? “Chunk up” – from the specifics to the big
picture, where someone is giving you too
▪ What’s important about this role? much detail, e.g.
▪ What’s involved?
▪ What’s important about that?
▪ How do you do that? ▪ What does that contribute to?
▪ What’s that part of?
▪ What happens next?
“Chunk down from the general to the specific,
▪ When do you do that? where someone is being too general, e.g.
▪ Who else is involved?

▪ How, specifically, do you…
▪ Do you………? ▪ What’s an example of that?
▪ What has to happen to…?
▪ What happens next?
94
Session 15 – 6-Stage Approach to Audit
1. Set the scene
Take a couple of minutes to set the audit up and get the interviewee’s buy-in:
▪ Introduce yourself and explain why you are there
▪ Build rapport and try to relax the interviewee
▪ Outline the purpose and scope of this part of the audit
▪ Explain the audit process, how the audit will be reported and that you are auditing the
system, not them as an individual
2. Establish the basics

Make sure you understand the context for the process you are auditing. This part of the audit is
best done with the process owner or manager.
Determine:
▪ Who is the auditor talking to?
▪ What is their involvement in the process?
▪ What is the purpose of the process?
▪ What activities are involved in the process?
▪ Who else is involved?
▪ How does the process contribute to the quality policy and objectives?
▪ Are risks and opportunities determined and addressed?
▪ How is the process measured / monitored / analysed / evaluated?
▪ What documented procedures, instructions and quality plans do they follow?
3. Understand the process

If there are documented procedures for the process, you will already have some idea how the
process works. This stage of the audit will enable you to find out from the interviewee their
understanding of the process. It will also enable you to identify activities that are not fully
described in procedures and understand how the process works in practice. It can be helpful if the
interviewee shows you an example as they are explaining the process to you, but don’t yet get too
involved in the detail of the evidence – that will come in the next step.
Determine:
▪ An overview of the process?
▪ What should the process achieve?
▪ What are the process steps?
▪ What happens at each process step?
▪ What controls / check points are there?
▪ What authority do people involved have?
▪ What acceptance criteria exist, if applicable
▪ What documents and / or records are generated?
▪ Is the process implemented as described in documented procedures, instructions or
plans?
95
▪ Are there any processes within the audit scope that are not included in the management
system and should be?
▪ How is the method defined for carrying out the process step?
▪ What are the inputs?
▪ Where do the inputs come from?
▪ What form do the inputs take?
▪ What are the outputs?
▪ What form do they take?
▪ What are the resources?
▪ How are they developed?
▪ How are they maintained?
▪ What problems exist in the process?
▪ What would the interviewee change, if they could?
▪ How could the process be improved?
4. Search for objective evidence

Having gained a clear understanding of the process, you can now start sampling in detail. Ask to
look at examples, and remember to vary your sample to cover the range of activities, people, dates,
product lines etc.
Sample to verify that:

▪ They have done what they planned to do (i.e. that the process conforms to requirements
and planned arrangements)
▪ That the process has been effective (i.e., that desired results have been achieved)
▪ Process inputs have been correct and complete
▪ Inspection or verification activities have been carried out where required
▪ Acceptance criteria have been satisfied
▪ Process outputs have been correct and complete
▪ Communication and inter-relationships with other functions have been
▪ Effective and in accordance with planned arrangements
▪ The process results satisfy the audit criteria
▪ Performance standards been achieved
▪ If desired results are not achieved, that appropriate correction and corrective action has
taken place
5. Check back
Re-visit your audit checklist and make sure you have covered everything you intended, including:
▪ Following up on findings and notes from previous audit activities to:
- Verify effective communication and accurate transfer of data and materials
between processes
- Determine whether potential problems previously identified are conforming or
otherwise
- Determine if the root cause of any previous adverse finding originates from the
process being audited
96
▪ Check:
- All planned aspects of the audit have been completed
- Notes have been made of findings that need to be reported or followed up later
6. Close out
Close this part of the audit by:
▪ Providing a brief summary of your findings
▪ Identifying any areas where they will need to make improvements
▪ Giving positive feedback about those aspects of the process that are working well
▪ Explaining what will happen next, how and to whom the audit will be reported
▪ Thanking the interviewee for their time and cooperation
97
▪ Revisit the specimen exam paper and identify any questions you want to review
tomorrow morning
▪ Complete the quiz questions below
▪ Review section 3 Q1 of the specimen paper
▪ Re-read your pre-course work and delegate notes
98
Quiz
This ISO 9001 quiz will help you revisit some of the clauses of ISO 9001 and perhaps dispel some of
the myths about its requirements.
True/
IT IS A REQUIREMENT OF ISO 9001 THAT: Clause?
False?
1. There must be a full time Quality Manager No
2. The Quality Policy must be understood by all employees No
3. There must be statistical batch sampling during Goods Receiving No
4. A Quality Manual is mandatory No
5. The terms design verification and design validation are used
interchangeable in ISO 9001 No
6. Management Reviews must be recorded No
7. Top management are responsible for communicating to the organization
No
about the management system
8. Customer requirements must be reviewed prior to the organization’s
No
commitment to supply a product
9. Design reviews must be held to verify design No
10. There must be complete traceability of all materials used No
11. Quality objectives must be documented No
12. Monitoring of processes over time enables trends to be determined No
13. Internal auditors must propose corrective actions No
14. Record retention times must be specified No
15. All measuring and test equipment must have a known valid relationship
No
to nationally recognised standards
16. Internal audit nonconformities must be analysed No
17. The cause of quality failures must be investigated to prevent recurrence No
18. ISO 9001 encourages risk-based auditing No
19. Processes must be documented No
20. ISO 9001 approved organizations may choose not to measure customer
satisfaction
No
21. A documented procedure must exist for management review No
22. Organizations may use complaints data as a way of monitoring customer
No
satisfaction
23. Management review meetings must be held No
24. Outsourcing of processes that affect product conformity is not permitted No
25. Top management do not get involved in the quality management system No
99
Session 15 Continued: Case Study Exercise –
CovSec Audit
Task
As a team, you will audit up to five of CovSec’s processes, which are:
▪ Sales
▪ Purchasing
▪ Management review
▪ Training
▪ Alarm installation
Assume that this is an initial 3rd party certification audit. This is the stage 2 audit, and it is the first
external audit CovSec has experienced.
The audit takes place in June year 02.
Process
Appoint an overall team leader for the task
This person will be responsible for managing and coordinating the overall process and ensuring
that the audit objectives are achieved in the time available. They will also support, monitor and
coach other auditors. The overall team leader will also need to take on the role of an auditor in one
of the five audits.
The overall team leader will also be responsible for moderating the audit findings and facilitating
the output for the audit reporting exercise.
Prepare an audit plan for the team audit

▪ Decide the sequence in which you want to audit the processes
▪ Decide how long to spend on each audit (once you have closed the audit the tutor will
take 10 minutes to give feedback to the individual auditors, so please allow for this in
your timescales)
▪ Allocate a Lead Auditor and an Auditor for each of the five audits. Make sure that anyone
who has not yet taken a team leader role takes a Lead Auditor role today. The Lead
Auditor is responsible for the successful, timely completion of their specific audit
▪ Plan time for team meetings to share audit trail information in between each audit
▪ Identify observers for audits (optional). The purpose of the observer is purely to learn
from other auditors – they are not part of the audit, and will not pass information to
subsequent audit teams
▪ Complete the proforma and send it to the tutor
100
Prepare individual audits in your audit pairs
This will include:
▪ Reviewing relevant CovSec documents
▪ Reviewing relevant clauses of ISO 9001
▪ Identify audit trails from other parts of the audit that you wish to follow up in your audit
▪ Prepare working documents to guide you through a process audit to evaluate conformity
and effectiveness of the process
Conduct the audit

You will be auditing CovSec managers as follows:
▪ Sales: P Nutt, Customer Services Director
▪ Purchasing: C Johnson, Procurement Manager
▪ Management Review: C Collins, Quality Manager
▪ Training: P Lomas, Training Manager
▪ Alarm Installation: C Croft, Installation Manager
▪ Stick to the time scales you have agreed with the team
▪ Audit the process and apply the 6-stage approach
▪ Look for conformity, not nonconformity
▪ Sample – there will be records available, so plan what you want to look at and make sure
you ask to see examples
▪ Make sure you audit the conformity and effectiveness of the process
▪ Identify audit trails to be followed in later audits
Report the audit

Once you have completed your audit, each person should prepare a valid nonconformity report or
audit trails. (See the next exercise “Reporting the CovSec Audit”).
Output
At the end of each audit you should have:
▪ Valid findings from your audit
▪ A good relationship with each interviewee
▪ Audit trails to pass on to the subsequent audit teams, to enable a thorough audit of the
effectiveness of CovSec’s processes
▪ A valid, unique nonconformity report for each person or audit trails to further investigate
a potential problem (see also the Case Study Exercise: Reporting the CovSec Audit)
101
Session 16 - Consolidation
Action planning
Spend a few minutes reflecting upon what you have learned on this training course. Revisit the
objectives you defined for yourself at the start of the course and consider the extent to which you
have met these, and which ones need more work.
What do you want to do?
STOP
What were you doing before the course that you have identified you now want to stop?
START
What were you not doing before the course that you now want to start?
CONTINUE
What were you doing before the course that you wish to continue, or do more of?
102
Development planning
Think about what further development needs you have; what are the next steps to get you to where
you want to be?
Experience
How will you get further experience as an auditor?
Think about…..
▪ Opportunities for auditing in your own and other organizations
▪ Working with an experienced auditor
▪ Acting as a guide for external auditors
▪ Auditor certification from IRCA (www.irca.org)
▪ Don’t’ forget to complete IRCA audit logs for each audit you do – you can download
templates from the website
Knowledge
In what areas do you feel you need to improve your knowledge? How will you do this?
Think about…..
▪ What your organization wants to achieve from its management system
▪ Learning more about different management system standards (e.g. Health and Safety or
Environment (see www.lrqa.co.uk/training for a full range of courses)
Skills
What skills do you want to develop further?
Think about…….
▪ Your auditing skills
▪ Interpersonal skills
▪ Management skills
Contact LRQA to find out how they might be able to help with these.
103
The Role of CQI and IRCA in Auditor/Lead
Auditor Development
▪ The International Register of Certificated Auditors (IRCA) is a division of the Chartered
Institute of Quality (CQI)
▪ CQI and IRCA is a global organization which promotes the professionalism and
consistency of auditors in all types of management systems
▪ CQI and IRCA Training Certification and IRCA Auditor Certification is recognised and
valued worldwide
▪ CQI and IRCA auditor training courses are the accepted benchmark for management
systems auditor training and over a million people have completed CQI and IRCA training
courses in more than 120 countries throughout the world
▪ Further information on IRCA auditor certification can be found from www.irca.org
▪ This training course meets the requirements of CQI and IRCA training course specification
PR 328 and LRQA's Training Services can also offer CQI and IRCA approved training
covering other management system disciplines
▪ Please contact LRQA's Training Services or your Tutor for details of other CQI and
IRCA approved courses concerning management systems
What Does This Mean to You?

On Successful completion of this LRQA course you will receive a certificate bearing the CQI and
IRCA logo, which may be used to support an application for auditor certification with IRCA.
Auditor Grades
Provisional Auditor
▪ CQI and IRCA certified training course
▪ Work experience
▪ Education
Auditor
▪ Work experience
▪ Education
▪ Audit experience
Lead Auditor or Principal Auditor

▪ Work experience
▪ Education
▪ Audit management experience
104
Join CQI and IRCA and receive valuable benefits, including:
▪ Improved professional credibility
▪ Use of the CQI and IRCA identification card
▪ Increased earning potential
▪ International recognition for your skills
▪ Use of the IRCA auditor logo on your business cards
Code of Conduct
It is a condition that all certified auditors agree to act in accordance with, and be bound by the
following Code of Conduct:
▪ To act in a strictly trustworthy and unbiased manner in relation to both the organisation
to which they are employed, contracted or otherwise formally engaged (the audit
organisation) and any other organisation involved in an audit performed by them or by
personnel under their direct control
▪ To disclose to their employer any relationships they may have with the organisation to
be audited before undertaking any audit function in respect of that organisation
▪ Not to accept any inducement, gift, commission, discount or any other profit from the
organisations audited, from their representatives, or from any other interested person
nor knowingly allow personnel for whom they are responsible to do so
▪ Not to disclose the findings, or any part of them, of the audit team for which they are
responsible or of which they are part, or any other information gained in the course of the
audit to any third party, unless authorised in writing by both the auditee and the audit
organisation to do so
▪ Not to act in any way prejudicial to the reputation or interest of the organisation
▪ Not to act in any way prejudicial to the reputation, interests or credibility of IRCA
▪ In the event of any alleged breach of this code, to co-operate fully in any formal enquiry
procedure
105
We hope you enjoyed your course
You will be contacted by the CQI and IRCA for feedback on the course and your Approved
Training Partner.
Filling in this short survey will help to ensure the continuing high standards of
these courses.
For further information, the CQI and IRCA offer a range of services to
support you throughout your career.
Please visit www.thecqi.org or www.irca.org

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0 2

Uploaded by

Copyright:

Available Formats

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0 2

Uploaded by

Copyright:

Available Formats

QMS Auditor/Lead Auditor

About the CQI and IRCA

We hope you enjoy your course.

ISO 19011 Guidelines for Management Systems Auditing .......................................... 9

Skills and Performance Criteria ................................................................................. 11

Session 2 - Verification of Pre-Coursework ............................................................... 15

Session 3 - ISO Purpose and Overview ...................................................................... 16

Session 4 - ISO 9001 Clause Requirements ............................................................... 19

Session 5 - ISO 9001 Clause Requirements ............................................................... 21

Understanding ISO 9001- Exercise............................................................................. 22

Day 1 - Evening Work .................................................................................................. 23

Leadership and Commitment – Examples of Audit Evidence ................................... 24

Session 6 - Audit Roles and Responsibilities ............................................................. 26

Who Does What? – Exercise........................................................................................ 27

Roles and Responsibilities ......................................................................................... 29

Session 7 - Overview of the Audit Process ................................................................. 34

Session 8 - Pre-audit Activities and Scope ................................................................ 38

Session 9 - Stage 1 Audit ............................................................................................ 44

Introduction to the Case Study .................................................................................. 46

Audit Team Brief ......................................................................................................... 47

Case Study 1 – The Organization and its Context ..................................................... 48

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

Day 2 - Evening Work .................................................................................................. 54

Session 9 Continued: Top Management Meetings .................................................... 55

Case Study 3 – Top Management Interview .............................................................. 60

Case Study 4 – Planning the stage 2 audit ................................................................ 63

Stage 1 Audit reporting .............................................................................................. 65

Session 10 - Meetings ................................................................................................. 66

Session 11 - Process Audits ........................................................................................ 69

Structuring a Process Audit Checklist ....................................................................... 74

Checklist for a Process Audit ..................................................................................... 76

Process Audit Checklist Template ............................................................................. 77

Day 3 - Evening Work .................................................................................................. 80

Session 12 - Audit Reporting ...................................................................................... 81

Session 12 Continued: Grading Nonconformities ..................................................... 83

Session 13 - Corrective Action.................................................................................... 86

Exercise: Reviewing Corrective Actions ..................................................................... 88

Session 14 - Audit Skills.............................................................................................. 91

The Interview Funnel ................................................................................................. 94

Session 15 – 6-Stage Approach to Audit .................................................................... 95

Day 4 - Evening Work .................................................................................................. 98

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

Session 16 - Consolidation ....................................................................................... 102

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

Before the course

During the Course

After the Course

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

▪ There are 4 elements to the delegate assessment process:

▪ Participate in all activities and exercises

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

Your results sent to you.

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

Extract from ISO 19011 Clause 4, ‘Principles of auditing’:

Content of ISO 19011:

▪ Competence and evaluation of auditors

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0

SKILL GROUP: Auditing

ISO 9001 Lead Auditor Delegate Workbook V1 R0.0