Information - Protocol Specifics

The advent of ISO/IEC 17021 [...for certification bodies...] and ISO 19011 [Guidelines for Quality and/or Environmental Management System Auditing] lead to auditing changes [we must reiterate that ISO 19011 is a guide (not a requirement for internal Management System auditing), it a requirements for registrars and registration bodies]:

The term audit phases has been replaced with activities. In addition, the term "documentation review" is seen as a mutually exclusive activity - here at BULLTEK LTD still refers to Adequacy Audit or part of Phase I. ISO 19011 lists auditing completion tasks. Thereof, listing within auditor courses the following protocol is advised:

1. Initiation (define audit objectives)
2. Reviewing (implies examining the management system documents)
3. Preparation (planning for on-site auditing activities)
4. Execution / Realization (auditing the management system)
5. Reporting (reporting the results of the audit)
6. Completion (completion of the audit plan)
7. Follow-up (conducting follow-up auditing, when and if required)

Thereof, a synopsis of the the key auditing activities are noted as follows:

Initiation of the Audit

  • Identify and define the purpose of the audit;
  • Designate an audit team;
  • Defining the objectives, scope, and criteria for the audit;
  • Determining the feasibility of the audit;
  • As requires, select the audit team; and
  • Establishing the initial contact with the auditee, as deemed necessary (considering 1st, 2nd or 3rd Party Auditing).

Documentation Review

  • Reviewing the management system documentation prior to on-site auditing (including each relevant document and record) - Could review documentation in a preliminary site visit;
  • Determining conformity as integral part of the audit criteria (or objective);
  • The on-site audit may be deferred if needed;
  • Reporting of documentation findings whether concerns or non-conforming;
  • Proceed with the on-site audit if not deterrent due to the findings at documentation.

Preparing for the On-Site Audit

  • Prepare an audit plan, a basis for agreement, and submitted to the auditee;
  • The audit plan provides the basis for scheduling and coordinating the on-site audit;
  • Any planning must be kept flexible thus permitting changes during the audit itself;
  • Assign activity work to the audit team members;
  • Prepare for the auditing work documents: including checklists, check sheets, forms, and related;
  • Confirm the on-site audit  logistics and needed arrangements.

Performing the Audit

  • Conduct an opening meeting;
  • Ongoing communication during the audit;
  • As needed, discuss the role of the guides and observers;
  • Commence the interviewing process on personnel performing work activities;
  • Gather data and information;
  • Proceed to verify the information;
  • The audit team prepares and agree on the audit conclusions; and
  • Complete a closing meeting.

Reporting Audit Results

  • The audit team prepares the audit report, in 2nd and 3rd Party auditing the term "Lead Auditor" comes into effect as applies to third party auditing;
  • The report is as accurate, precise and concise record of the audit;
  • Date, review, and approve the audit as dictated by procedure;
  • The audit report is issued within the agreed arrangements (closing meeting) or otherwise procedure; and
  • The report must be distributed to the audit or otherwise client-designees.

Completing the Audit
An audit is "complete" when:

  • The activities stipulated within the audit plan have been completed;
  • The audit report has been approved and distributed;
  • Records have been kept or otherwise destroyed per agreement; and
  • Non conformances have been effectively corrected (as the audit is not considered "closed" until verification of the effectiveness of the action taken, when corrective action has been requested). 

When conducting Follow-up...

  • If there is a corrective action request (a nonconformity), conclusions implies actions must be taken by the auditee;
  • Corrective action(s) need be taken within an agreed time frame;
  • Whilst, such actions are outside the audit time frame planning / plan indeed the audit stays open until effective action has been taken;
  • The auditee may inform the audit team action and when has it been taken (per agreement);
  • The effectiveness of the  action taken must be verified; thus
  • This verification can be part of the planning of a subsequent audit unless otherwise determined that the action must be verified prior to closing a request for action / non conformance.

 

 

 

Audit and auditing, some thoughts…

In the activity of auditing, the information obtained must assist the audit team to identify that system implementation meets ISO 9001:2008 (or variants) requirement. During the realization of this activity concurrence between said and done requires examining, evaluating and reporting. And that the resulting managerial system meets the requirements under which the organization  ascribes.

 

Obtaining objective evidence requires audit skills, techniques and knowledge on the activity to be audit. The old adagio "plan twice and realize once" goes far for auditing. A checklist / check sheet is an opportunity to "view" the activities to audit and textually outline the strategy to follow. Once the strategy is planned through knowingly what information to obtain (on the basis of established criteria), other questions will rise as the audit progresses.

 

Obtaining information is through techniques that allow the auditee to provide information and assisting the audit team in concluding the level of system implementation effectiveness. As humans we have two ears and one mouth, use these accordingly. During this process ascertain that the interviewee from whom gathering information is the correct responder. There may be no value in obtaining information from the incorrect source.

 

Clarification and confirmation is a technique that applies to assisting in ascertaining that the communication with interviewees is effective. The use of open and close questions assist in achieving audit objectives. Close-questions are best apply when a specific piece of information needs confirming. Open questions are those leading to a conversation, and allow the interviewee(s) to convey information about the audit team inquiry, thus audit objectives. It is important for the auditee / interviewee to know what's being valued, and that this value is the effectiveness of the management system and not their specific performance.

 

Be "straight forward" with interviewee / auditee and ask one question at a time - this is not a military type interrogation...

 

Careful playing psychologist, misreading a sign or body language could affect in the objective of the audit and confuse the interviewee. Much to often we encounter train auditors that were taught to read this or that signal, experience and time has taught that techniques within the field of psychology is best left within the realm of the  latter.

 

A Note on Note Writing

 

The interviewee / auditee must understand that note taking does not construed wrong or right but just gathering information to arrive to conclusions. Needless to say do not take notes continuously, this impedes the interviewee to maintain a fluent conversation. This is why understanding that what's being examining is the management system, practices and methods and not the performance of individuals. Thus to realize and transmit that this is true, second though must be given to writing names of individuals when writing the report.

 

    Note on notes - Notes shall contain information assisting to conclude objectively and have the ability for other competent audit teams to arrive to the same conclusion.  Thus, information obtained shall be traceable.

 

The auditee must feel comfortable, and yourself have informed, that the audit outcome they will be first to know. If your interview leads to follow a trail, when feasible, inform the interviewee.

 

Under ISO 9001:2000, with its lesser documentation requirements, follow-up, cross reference, and verifications is a need. The audit team may not have the luxury of outlined and documented information of what's being assess. It is the responsibility of the organization being audited to demonstrate conformance. And it's the responsibility of the audit team to evaluate the attained objective evidence to conclude with a level of conformance that needs reporting.

 

Also remember that the audit team records for future audits, source of information.

 

Closure and Follow-up

 

The audit report is to contain relevant information to the objective of the audit. The audit report, most likely a predetermined form, will contain and answer:

 

  • Scope of the audit
  • Audited activities / processes
  • Dates and include specifics of shift

 

Include information that will assist auditee and follow-up audit team to achieve audit objective

The information shall briefly express information on findings; observation; and nonconformity, if found

Conveys the information quickly and instigate taking action

As requires by third party auditing, classify any nonconformity 

 

A final word on relating nonconformity to requirement, when identify a nonconformity convey the necessary information for the auditee to take action leading from the possible cause (of the nonconformity itself). This last may be one of the most difficult tasks of an effective and competent audit team.

 

The information herein noted applies equally to ISO 9001:2008 and variants or self stand international management systems standards, such as:

  • ISO/IEC 17025
  • ISO/IEC 27001
  • ISO 22000
  • ISO/IEC 17024
  • ISO 13485
  • AS9100
  • TL 9000
  • ISO/TS 16949
  • And other standards

 
 
 
Some Thoughts in AuditingBack to Home Portal...