https://www.oeconsulting.com.sg/training-presentations]ISO g.pptx

Auditor Training Module 1 – Audit Concepts and Definitions

What is auditing ? Most of us are familiar with the term ‘audit’ Typically, ‘audit’ is considered to be associated with financial matters such as accounting, costing, taxation, etc. As a result, the very mention of the word ‘audit’ evokes fear, not comfort However, management system audits are totally different in nature, whether on quality management system ISO9001or other management systems such as ISO14001 or OHSAS18001 The International organisation for Standardisation (ISO) has even published a standard (ISO19011:2011) to provide guidance on how to conduct management system audits

Audit and Audit Scope “Audit” is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. “Audit Scope” may include the examination of System Adequacy and / or Compliance, and identification of Improvement Opportunities.

Four Types of Audit Internal Audit External Audit Combined Audit Joint Audit

Internal Audit Also known as a “First party Audit”. Is conducted by, or on behalf of, the organisation itself for management review and other internal purposes (e.g. to confirm the intended operation of the management system or to obtain information for improvement of the management system), and may form the basis for an organisation’s self-declaration of conformity. In many cases, particularly in smaller organisations, independence can be demonstrated by the freedom from responsibility for the activity being audited or freedom from bias and conflict of interest.

External Audit Also known as a “Second” or “Third” Party Audit. Second party audits are conducted by parties having an interest in the organisation, such as customers, or by other persons on their behalf. Third party audits are conducted by independent auditing organisations, such as regulators or those providing registration or certification .

Combined Audit When two or more management systems of different disciplines (e.g. quality, environmental, occupational health and safety) are audited together, this is termed a combined audit. Joint Audit When two or more auditing organisations cooperate to audit a single auditee, this is termed a joint audit.

Management System Audits Management system audits are an effective support tool for management, checking the implementation status of policies and procedures, and providing information that can help improve process performance. In order to ensure that the audit conclusions are relevant, and different auditors arrive at similar conclusions in similar circumstances, the ISO Auditing Standard has spelt out some pre-requisites/guidelines for auditors and the audit process itself. Auditing is characterised by reliance on a number of principles known as the : “Six Principles of Auditing” Which every auditor and audit manager must adhere to!

Four Principles For Auditors and Audit Managers

1. Integrity The foundation of professionalism To perform the work with honesty, diligence, and responsibility. To observe and respect any applicable legal requirements. To demonstrate technical competence while undertaking work. To perform the work in an impartial manner. To be sensitive to any influences that may be exerted by other interested parties on their judgment while carrying out an audit.

2. Fair presentation The obligation to report truthfully and accurately Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee may be reported. The communication has to be truthful, accurate, objective, timely, clear and complete.

3. Due professional care The application of diligence and judgement in auditing Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. An important factor in carrying out their work with due professional care, is having the ability to make reasoned judgements in all audit situations.

4. Confidentiality Security of information Auditors should be prudent in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for the personal gain by the auditor or the audit client or in a manner detrimental to the legitimate interest of the auditee. This concept includes the proper handling of sensitive, confidential or classified information.

Plus Two Principles For Audit Process

1. Independence The basis for the impartiality of the audit and objectivity of the audit conclusions Auditors should be independent of the activity being audited and act in a manner that is free from bias and conflict of interest wherever possible. For internal audits, auditors should be independent from the operating managers of the function(s) being audited. Auditors should maintain an objective state of mind throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence. For small organisations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and allow for objectivity.

2. Evidence-based approach The rational method for reaching reliable and reproducible audit conclusions in a systematic audit process Audit evidence must be verifiable. Evidence must be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. The appropriate use of sampling should be closely related to the confidence that can be placed on the audit conclusions .

Audit Terminology

Audit Terminology (1) Audit Criteria: The set of policies, procedures or requirements that apply to the management system being audited. audit criteria are used as a reference against which audit evidence is compared i f the audit criteria are selected from legal or other requirements, the audit finding is termed compliance or non-compliance if the audit criteria are selected from standards (internal or external), the audit finding is termed a conformity or nonconformity

Audit Terminology (2) Audit Evidence: v erifiable records, statement of fact or other information which are relevant to the audit criteria audit evidence may be qualitative or quantitative Audit Findings: t he results of evaluation of the collected audit evidence against audit criteria which may indicate conformity / non-conformity / opportunity for improvement / good practices Audit Conclusion: is the outcome of an audit, after consideration of the audit objectives and all audit findings

Audit Terminology (3) Audit Client: is the organisation or person requesting an audit note - the audit client may be the auditee or any other organisation which has the regulatory or contractual right to request an audit Auditee : is the organisation being audited Auditor: those conducting an audit

Audit Terminology (4) Audit Team: is a team of one or more auditors conducting an audit, supported (if needed) by technical experts one auditor of the audit team is appointed as the lead auditor (audit team leader) the audit team may include auditors-in-training Audit Programme: the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose Audit plan: a description of the activities and arrangements for an audit

Audit Terminology (5) Audit Scope: the extent and boundaries of an audit Note : The audit scope generally includes a description of the physical locations, organisational units, activities and processes, as well as the time period covered. Competence: the ability to apply knowledge and skills to achieve intended results Note: Ability implies the appropriate application of personal behaviour during the audit process. Risk : the effect of uncertainty on objectives

Audit Terminology (6) Technical Expert: a person who provides specific knowledge or expertise to the audit team Note : Specific knowledge or expertise is that which relates to the organisation, the process or activity to be audited, or language or culture. Note : A technical expert does not act as an auditor in the audit team . Conformity : the fulfilment of a requirement Nonconformity: the non-fulfilment of a requirement. Guide: a person appointed by the auditee to assist the audit team

Audit Training Module 2 - Audit Management

A PDCA Approach to Audit Management Plan - Determine the audit programme : objectives, manager’s role, extent, risks, procedures and resources Do - Implement the audit programme : Define individual audit objectives, scope and criteria and audit method Select the audit team and assign lead auditors Manage and maintain audit programme records Competence and evaluation of auditors Audit Activities Check : Monitoring the audit programme Act : Reviewing & improving audit programme

Step 1 Establishing the Audit P rogramme (clause 5.2)

Developing Audit Objectives (1) Objectives must be set to give a direction for the planning and conduct of audits and to ensure effective implementation of the audit programme, including: management priorities, commercial and/or business intentions management system(s) requirements legal and other requirements need for supplier evaluation needs and expectations of interested parties (including customers) auditee’s level of performance, as reflected in the occurrence of failures or incidents or customer complaints risks to the organisation being audited results of previous audits level of maturity of the management system

Developing Audit Objectives (2) Typical examples of audit programme objectives: “To contribute to the improvement of a management system and its performance.” “To meet external requirements”, e.g. certification to a management system standard. “To verify conformity with contractual requirements.” “To obtain and maintain confidence in the capability of a supplier.” “To evaluate compatibility and alignment of the management system objectives with the management system policy and the overall business objectives.”

Audit Manager’s Responsibilities The audit manager must: establish the extent of the audit programme evaluate the risks for the audit programme establish audit responsibilities and procedures ensure necessary resources are provided, including the evaluation of auditors ensure the implementation of the audit programme, such as defining audit objectives, scope and criteria of the individual audits, determining audit methods and selecting the audit team ensure that appropriate audit programme records are maintained monitor, review and improve the audit programme Note: The person assigned the responsibility for managing an audit programme should inform the top management on the contents of the audit programme and, where necessary, ask for its approval .

Audit Manager Competence The audit manager should be competent to manage the audit programme effectively and efficiently and have competence in: audit principles, procedures, methods and techniques management system and reference documents applicable legal and other requirements relevant to the activities and/or products of the organisation to be audited organisational products and processes customer(s), supplier(s) and other interested parties of the organisation to be audited, where applicable risks associated with the audit programme

Audit Extent (1) The audit manager should establish the extent of the audit programme, taking into account: the size and nature of the organisation to be audited the nature, functionality, complexity and level of maturity of the management system to be audited Other factors affecting the extent include: the scope, objective and duration of each audit, and, the frequency of audit the number, importance, similarity and locations of the activities to be audited those matters of significance to the effectiveness of the management system legal and other requirements, such as standards, contractual requirements, etc. the need to meet external requirements, say, for certification

Audit Extent (2) Further factors affecting the extent include: conclusions of previous internal / external audits or results of previous audit programme review language, cultural and social issues the concerns of interested parties such as customer complaints, regulatory breaches, etc. significant changes to the organisation to be audited or its operations the extent and maturity of the information and communications technologies of the auditee, which can impact the use of remote audit methods the occurrence of internal and external events such as product failure, contamination, information security leak, health and safety incident, criminal acts or environmental incident

Evaluating Audit Risks The audit manager should consider the risks associated with establishing, implementing, monitoring and reviewing an audit programme, including: planning, e.g. failure to set the objectives and extent of audit programme resources, e.g. allotting insufficient time to develop the audit programme selection of the audit team, e.g. the team does not have the collective competence to conduct the audit effectively implementation, e.g. ineffective communication of the audit programme records, e.g. failure to adequately protect audit records to demonstrate audit programme effectiveness monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of audit programme outcomes

Establishing Audit Procedures The audit manager should establish one or more audit procedures, addressing the following: planning and scheduling audits considering audit programme risks managing information security, confidentiality, risks to the organisation from auditing activities and other matters related to the audit programme assuring the competence of auditors and lead auditors selecting appropriate audit teams and assigning their roles and responsibilities conducting audits, including the use of appropriate sampling methods conducting audit follow-up, if applicable reporting to the audit client (e.g. top management) on the overall achievements of the audit programme monitoring the performance, risks and effectiveness of the audit programme maintaining audit programme records

Identifying Audit Resources When identifying resources for the audit programme, the audit manager should consider: the financial resources necessary to develop, implement, manage and improve audit activities audit methods / techniques the availability of auditors and technical experts having competence appropriate to the particular audit programme objectives the extent of the audit programme travelling time and cost, accommodation and other auditing needs the extent and maturity of the information and communication systems of the organisation to be audited which may impact the use of remote audit methods

Step 2 Implementing the Audit Programme (clause 5.3)

General Considerations The audit manager should implement the audit programme by: communicating the pertinent parts of the audit programme to relevant parties and informing them periodically of its progress defining objectives, scope and criteria for each individual audit coordinating and scheduling audits and other activities relevant to the audit programme ensuring the selection of audit teams with the necessary competence providing necessary resources to the audit teams ensuring the conduct of audits in accordance with the audit programme and within the agreed time frame ensuring that audit activities are recorded and records are properly managed and maintained

Defining Audit Objectives, Scope and Criteria (1) In order to develop the audit plan for each individual audit, it is necessary to identify and document the specific audit objectives, scope, methods, criteria and procedures. The audit objectives define what is to be accomplished by the audit and should be documented in the audit plan. They may include the following: determination of the extent of conformity of a management system to be audited, or parts of it, with audit criteria evaluation of the capability of a management system to ensure compliance with legal and other requirements evaluation of the effectiveness of a management system in meeting its specified objectives identification of areas for potential improvement of a management system treatment of confidential information including the extent of disclosure

Defining Audit Objectives, Scope and Criteria (2) The audit manager should define the individual audit objectives, and these objectives must be consistent with the overall audit programme objectives. The audit scope should be consistent with the audit programme and audit objectives. It includes such factors as physical locations, organisational units, activities and processes to be audited, as well as the duration of the audit. The audit criteria (derived from applicable policies, objectives, procedures, standards, legal / management system / contractual requirements, industry / business sector codes of conduct) should be used as a reference against which conformity is determined. The audit scope and audit criteria should be defined jointly by audit manager and lead auditor in accordance with audit programme procedures, and, changes (if any) should be agreed to by the same parties and the audit programme should be modified accordingly.

Determining Audit Method(s) The audit manager should select and determine the audit methods for an audit depending on the defined audit objectives, scope and criteria for effectively conducting the audit. If an organisation to be audited operates two or more management systems of different disciplines (such as QMS and EMS), combined audits may be included in the audit programme. In such a case, special attention should be paid to the competence of the audit team.

Selecting the Audit Team (1) The audit manager should appoint the members of the audit team, including the team leader and any technical expert(s) needed for the specific audit. An audit team should be selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope. If there is only one auditor, the auditor should perform all applicable duties of an lead auditor . Note: Clause 7 of ISO19011:2011 standard contains guidance on determining the competence required for the audit team members and describes processes for evaluating auditors.

Selecting the Audit Team (2) In deciding the size and composition of the audit team for the specific audit, consideration should be given to the following: the overall competence of the audit team needed to achieve audit objectives, scope and criteria type of audit (combined / joint) and the kind of audit methods selected legal and other requirements such as contractual requirements the need to ensure the independence of the audit team from the activities to be audited and to avoid any conflict of interest the ability of audit team members to interact effectively with the auditee the language of the audit, and an understanding of the auditee’s particular social and cultural characteristics These issues may be addressed either by the auditor's own skills or through the support of a technical expert.

Selecting the Audit Team (3) To assure the overall competence of the audit team, the following steps should be performed: identification of knowledge and skills needed to achieve the objectives of audit selection of the audit team members so that all of the necessary knowledge and skills are present in the audit team if all the necessary competence is not covered by the auditors in the audit team, technical experts with additional competence may be included in the teams technical experts should operate under the direction of an auditor but should not act as auditors auditors-in-training may be included in the audit team, but should participate under the direction and guidance of an auditor

Selecting the Audit Team (4) Both the audit client and the auditee may request the replacement of particular audit team members on reasonable grounds based on the principles of auditing. Examples of reasonable grounds include lack of competency or previous unethical behaviour, conflict of interest situations (such as in the case of second or third party audits, an audit team member having been a former employee of the auditee or having provided consultancy services to the auditee), etc. Such grounds should be communicated to the lead auditor and to the audit manager, who should discuss the issue with the audit client and auditee before making any decisions or replacing audit team members.

Lead Auditor Responsibilities (1) The audit manager should assign the responsibility for the conduct of the individual audit to a lead auditor (the audit team leader). The assignment should be made, and the following information provided, sufficiently in advance to give sufficient time for effective audit planning: the audit objectives the audit criteria and any reference documents the audit methods and procedures the audit scope, including identification of the organisational and functional units and processes to be audited the composition of the audit team the locations, dates, and duration of the audit activities to be conducted the allocation of appropriate resources to conduct the audit.

Lead Auditor Responsibilities (2) The assignment information should also cover the following, as appropriate: the working and reporting language of the audit where this is different from the language of the auditor and/or the auditee audit report contents requested by the audit programme matters related to confidentiality and information security, if required by the audit programme any follow-up actions, for example, from a previous audit, if applicable The audit manager should ensure that the information provided to the lead auditor adequately addresses identified risks to the achievement of audit objectives.

Managing Audit Records The audit manager should manage and maintain records to demonstrate the implementation of the audit programme. Processes should be established to ensure that any privacy or confidentiality needs associated with the audit records are satisfied. Records should include the following : records related to the audit programme such as audit programme objectives, those addressing audit risks, reviews of the audit programme effectiveness records related to individual audit such as audit plans & reports, nonconformity reports, corrective and preventive action reports, audit follow-up reports, etc. records related to audit personnel such as competence and performance evaluation of the audit team members, audit team selection, maintenance and improvement of competence

Step 3 Audit Monitoring (clause 5.4)

Audit Mon itoring (1) The audit manager should periodically monitor the audit implementation, including: reviewing and approving audit reports, and ensuring their distribution to top management and other relevant parties considering the necessity of any follow-up audit evaluating the performance of the audit team members evaluating the ability of the audit teams to implement the audit plan evaluating conformity with audit programmes, schedules and objectives evaluating feedback from top management, auditees, auditors, and other interested parties

Audit Monitoring (2) Sometimes, for the following or other reasons, it may be necessary to modify the audit programme before completion: initial audit findings demonstrated level of management system effectiveness changes to the client’s or the auditee’s management system change of legal requirements and/or standard change of supplier

Step 4 Reviewing and Improving Audits (clause 5. 5 )

Reviewing and Improving Audits The audit manager should review the audit programme to assess whether its objectives have been met, including: results and trends from monitoring conformity with audit programme procedure(s) evolving needs and expectations of interested parties audit programme records, alternative or new auditing methods effectiveness of the measures taken to address audit risks confidentiality & information security issues relating to the audit programme continual professional development of auditors Note 1 : The audit manager should review the overall implementation of the audit programme, identify areas for improvement and amend the programme, and report the results to the top management. Note 2 : Lessons learned from the review should be used for continual improvement .

Auditor Training Module 3 - Conducting the Audit

Audit Activities Initiating the audit To establish initial contact with the auditee To determine the feasibility of audit Preparing for the audit activities To prepare the audit plan To assign work to audit team To prepare the work documents Conducting audit activities To perform document review To conduct the opening meeting To communicate during audit Conducting audit activities To collect and verify information To record audit findings and conclusions To conduct the closing meeting Preparing & distributing the audit report To prepare the audit report To distribute the audit report Completing the audit Conducting audit follow-up (if applicable)

General Considerations On initiation of an audit, the audit manager assigns the responsibility for the audit to the lead auditor, as is defined in the audit programme. The audit manager transfers the necessary information to the lead auditor. The responsibility for conducting the assigned audit remains with the lead auditor until the audit is completed. To initiate an audit, the steps outlined in the next few slides should be considered. However, the sequence can differ depending on the auditee, processes and specific situations.

Step 1 Initiating the Audit (clause 6.2)

Contacting the Auditee The lead auditor should, formally or informally, make init ial contact with the auditee. The purposes of the initial contact are: to establish communication channels with the auditee’s representative(s) to confirm the authority to conduct the audit to provide information on the audit scope, methods and team composition to request access to relevant documents for planning purposes, including records to determine applicable legal and other requirements to confirm the agreement with the auditee regarding the extent of the disclosure and the treatment of the confidential information to make arrangements for the audit including scheduling the date(s) to agree on the attendance of observers and the need for guides for the team to find out the auditee’s expectations and needs related to the audit

Checking Feasibility The feasibility of an audit determines whether all of the necessary resources, information, arrangements, etc., are in place to provide reasonable confidence that the audit objectives can be achieved. The feasibility of the audit should be determined, taking into consideration such factors as the availability of : sufficient and appropriate information for planning the audit adequate cooperation from the auditee adequate time and resources for performing the audit Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the auditee.

Preparing the Audit Plan (1) The lead auditor should prepare an audit plan based on the information contained in the audit programme and documentation provided by the auditee. The audit plan should consider the effect of the audit on the auditee’s processes and provide the basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. The plan should facilitate the efficient scheduling and coordination of the audit activities to achieve an effective outcome. The amount of detail provided in the audit plan should reflect the scope and complexity of the audit as well as risks and the effect of uncertainty on the audit outcome.

Preparing the Audit Plan (2) In preparing the audit plan the lead auditor should be aware of appropriate sampling techniques, compatibility of audit team members and risks to the organisation created by the audit. Risks to the organisation may include an audit team member who mishandle the auditee’s information, creates a safety, health, environmental or a security risk such as a threat to the auditee’s products, services, personnel and/or infrastructure. For combined audits, particular attention should be given to the interfaces between processes of the management system(s). The details may differ, for example, between initial and subsequent audits and also between internal and external audits. The audit plan should be sufficiently flexible to permit changes which can become necessary as the audit activities progress.

Preparing the Audit Plan (3) The audit plan must cover or reference the following: the audit objectives the audit scope, including identification of the organizational and functional units and processes to be audited the audit criteria and any reference documents the locations, dates, expected times and duration of audit activities to be conducted, meetings with the auditee’s management as well as other meetings the audit method to be used including the extent to which audit sampling is needed to obtain sufficient audit evidence and the design of the sampling programme, if applicable the roles and responsibilities of audit team members, guides and observers the allocation of appropriate resources to critical areas of the audit.

Step 2 Preparing for Audit Activities (clause 6.3)

Preparing the Audit Plan Where appropriate, the audit plan should also cover the following: identification of the auditee’s representative for the audit the working and reporting language of the audit where this is different from the language of the auditor and/or the auditee the audit report topics logistics and communication arrangements including specific arrangements for the sites to be audited any specific measures taken to address risks and the effect of uncertainty on the audit objectives matters related to confidentiality and information security any follow-up actions, for example, from a previous audit Note: The audit plan should be reviewed and accepted by the audit client, and presented to the auditee, before the audit activities begin.

Assigning Tasks to the Audit Team The lead auditor, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, functions, sites, areas or activities. Such assignments should respect the independence and competence of auditors and the effective use of resources, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Audit team briefings, which should be held on a regular basis by the lead auditor, should allocate work assignments and decide possible changes. Changes to the work assignments can be made as the audit progresses to ensure the achievement of the audit objectives.

Preparing Work Documents The audit team members should review the information relevant to their audit assignments and prepare work documents as necessary for reference and for recording audit evidences. Such work documents should include: checklists and audit sampling plans forms for recording information, such as supporting evidence, audit findings and records of meetings The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit. Work documents should be retained at least until audit completion. Those documents involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members.

Document Review Relevant documentation of auditee’s management system should be reviewed ... to gather information for the preparation of the audit activities to get an overview on the extent of the system documentation to determine the system’s conformity, as far as documented, with audit criteria The documentation can include relevant management system documents and records, as well as previous audit reports. The review should take into account the size, nature & complexity of the auditee’s management system and organization, and the objectives and scope of the audit. Notes: The review may be combined with the other audit activities and may continue throughout the audit, if this is not detrimental to the effectiveness of its conduct. If adequate documentation cannot be provided within the time frame given in the audit plan, the lead auditor should inform the audit manager, and the auditee.

Conducting an Opening Meeting (1) The purpose of the opening meeting is to confirm the audit plan, introduce the audit team and ensure that all planned audit activities are in place. An opening meeting should be held with the auditee management and, where appropriate, those responsible for the functions or processes to be audited. In many instances, for example internal audits in a small organization, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit. For other audit situations, the meeting may be formal and records of the attendance should be kept. The meeting should be chaired by the lead auditor.

Conducting an Opening Meeting (2) The following should be covered in the opening meeting (1) : introduction of all participants, and an outline of their roles confirmation of the audit objectives, scope and criteria confirmation of the audit plan and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee's management, and any late changes presentation of the methods to be used, including advising the auditee that the audit evidence will be based on a sample of the information available introduction of methods to manage risks to the organization, products, services, personnel and/or infrastructure associated with the audit confirmation of formal communication channels between the audit team and the auditee confirmation of the language(s) to be used during the audit

Conducting the Opening Meeting (3) The following shall be covered in the opening meeting (2) : confirmation that, during the audit, the auditee will be kept informed of audit progress confirmation of availability of resources and facilities needed by the audit team confirmation of matters relating to confidentiality and information security confirmation of relevant health and safety, emergency and security procedures for the audit team information on method of reporting audit findings including any grading information about conditions under which the audit may be terminated information about the closing meeting information about how to deal with possible findings during the audit information about any system for feedback from the auditee on the findings or conclusions of the audit, including complaints or appeals

Communication During the Audit (1) It may be necessary to make formal arrangements for communication within the audit team with the auditee and potentially with external bodies (e.g. regulators) during the audit, especially where legislative requirements require the mandatory reporting of nonconformities. The audit team should confer periodically to exchange information, assess audit progress, and to reassign work between the audit team members as needed. During the audit, the lead auditor should periodically communicate the progress of the audit and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk to the auditee should be reported without delay to the auditee and, as appropriate, to the audit client.

Communication During the Audit (2) Any concern about an issue outside the audit scope should be noted and reported to the lead auditor, for possible communication to audit client and auditee. Where the available audit evidence indicates that the audit objectives are unattainable, the lead auditor should report the reasons to the audit client and the auditee to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit. Any need for changes to the audit plan which may become apparent as auditing activities progress should be reviewed with and approved by the person responsible for managing the audit programme and, as appropriate, the auditee.

Guides and Observers Guides and observers (e.g. regulator or other interested parties) may accompany the audit team. They should not influence or interfere with the conduct of the audit. Guides, appointed by the auditee, should assist the audit team and act on the request of the lead auditor. Their responsibilities should include the following: establishing contacts and timing for interviews arranging access to specific parts or sites of the auditee ensuring that rules concerning site safety and security procedures are known and respected by the audit team members and observers witnessing the audit on behalf of the auditee, and providing clarification or assisting in collecting information.

Collection and Verification of Information During the audit, information relevant to the audit objectives, audit scope and audit criteria, including information relating to interfaces between functions, activities and processes, should be collected by means of appropriate sampling and should be verified. Only information that is verifiable should be accepted as audit evidence. Audit evidence relevant to the audit findings should be recorded. If during collection of evidences, the audit team becomes aware of any new or changed risk, they should be addressed accordingly. Methods of collecting information include interviews, observations, review of documents, etc.

Audit Findings (1) Audit evidence must be evaluated against audit criteria to identify audit findings. Audit findings can indicate conformity or nonconformity with audit criteria. When specified by the audit objectives, audit findings should identify opportunities for improvement and provide recommendations for best practice, where this does not compromise independence. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions or processes that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded.

Audit Findings (2) Non-conformities and their supporting audit evidence should be recorded. Non-conformities may be graded. They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate, and that the non-conformities are understood. Every attempt should be made to resolve any diverging opinions concerning the audit evidence and/or findings, and unresolved points should be recorded. For combined audits, arrangements on dealing with findings related to criteria coming from the different requirements audited (multiple criteria) should be in place.

Audit Conclusions (1) The audit team should confer prior to the closing meeting to: review the audit findings, and any other appropriate information collected during the audit, against the audit objectives agree on the audit conclusions, taking into account the uncertainty inherent in the audit process prepare recommendations, if specified by the audit objectives discuss audit follow-up, as applicable.

Audit conclusions (2) Audit conclusions can address issues such as: the extent of conformity of the management system with audit criteria, including the effectiveness of the management system in meeting the stated objectives the effective implementation/maintenance/improvement of management system the capability of the management review process to ensure the continuing suitability, adequacy, effectiveness and improvement of a management system attempt to identify root causes of findings, if stated by the audit objectives consolidate similar findings made in different areas that were audited for the purpose of identifying trends If specified by audit objectives, audit conclusions may lead to recommendations regarding improvements, business relationships, or future auditing activities.

Conducting the Closing Meeting (1) A closing meeting, facilitated by the lead auditor, should be held to present the audit findings and conclusions in such a manner that they are understood and acknowledged by the auditee. Participants in the closing meeting should include representatives of the auditee, and may also include the audit client and other parties. If applicable, the lead auditor should advise the auditee of situations encountered during the audit that may decrease the reliance that can be placed on the audit conclusions. If defined in the management system or by agreement with the audit manager, the participants should agree, on the time frame for an action plan to address the audit findings. For some audit situations, the meeting may be formal and minutes including records of attendance, should be kept.

Conducting the Closing Meeting (2) In case of internal audits, the closing meeting is less formal and may consist solely of communicating the audit findings and audit conclusions. As appropriate, the following should be explained in the closing meeting: advising the auditee that the audit evidence collected was based on a sample of the information available the method of reporting, including any grading the process of handling of audit findings and possible consequences presentation of the audit findings in such a manner that they are understood and acknowledged by the auditee any related post audit activities

Conducting the Closing Meeting (3) Any diverging opinions regarding the audit findings and/or conclusions between the audit team and the auditee should be discussed and if possible resolved. If not resolved, all opinions should be recorded. If specified by the audit objectives, recommendations for improvements may be presented. It should be emphasized that recommendations are not binding.

Preparing the Audit Report (1) The lead auditor should be responsible for the preparation and contents of the audit report. The audit report should provide a complete, accurate, concise and clear record of the audit, and in accordance with the audit procedures should include or refer to the following: the audit objectives the audit scope, particularly identification of the organizational and functional units or processes audited and the period of time covered identification of the audit client identification of audit team and auditee´s participants in the audit the dates and locations where the audit activities were conducted the audit criteria, the audit findings, the audit conclusions a statement on the extent of the conformity to the audit criteria

Preparing the Audit Report (2) The audit report can also include or refer to the following, as appropriate: the audit plan a summary of the audit process, including the uncertainty and/or any obstacles encountered that may decrease the reliability of the audit conclusions confirmation if the audit objectives have been accomplished within the audit scope in accordance with the audit plan any areas within the audit scope not covered a management summary covering the audit conclusions and the main audit findings that support them any unresolved diverging opinions between the audit team and the auditee opportunities for improvement, strengths and best practices identified agreed follow-up action plans (if any) a statement of the confidential nature of the contents the distribution list for the audit report

Distributing the Audit Report The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be communicated to the auditee and the audit manager. The audit report should be dated, reviewed and approved as appropriate in accordance with audit programme procedures. The audit report should then be distributed to recipients as defined in the audit procedures.

Step 5 Completing the audit (clause 6.6) The audit is completed when all audit plan activities have been carried out or as otherwise agreed with the audit manager. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with audit programme procedures and applicable legal and other requirements. Unless required by law, the audit team and the audit manager should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate, the approval of the auditee. If disclosure of the contents of an audit document is required, the audit client and auditee should be informed as soon as possible. Lessons learned from the audit should be entered into the continual improvement process of the management system of the organisation needing to conduct audits.

Step 6 Conducting audit follow-up (clause 6.7) The conclusions of the audit may, depending on the audit objectives, indicate the need for corrections, corrective, preventive or improvement actions. Such actions are usually decided and undertaken by the auditee within an agreed timeframe. As appropriate, the auditee should keep the person responsible for managing the audit programme and the audit team informed of the status of these actions. The completion and effectiveness of the actions should be verified. This verification may be part of a subsequent audit.

Audit Training Module 4 - Competence and Evaluation of Auditors

General Considerations (1) Confidence and reliance in the audit process depends on the competence of those involved in planning & conducting the audits, including auditors and team leaders. Competence has to be evaluated through a process that considers personal behaviours and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience. This process should take into consideration the needs of the audit programme and its objectives. Some of the knowledge and skills are common to auditors of all management system disciplines, others are specific to auditors of specific management system disciplines. The evaluation of auditors must be planned, implemented and documented in accordance with the audit programme to provide an outcome that is objective, consistent, fair and reliable.

General considerations (2) The evaluation process should include four main steps: Determine the competence of audit personnel needed for the audit programme Establish the evaluation criteria Select the appropriate evaluation method Conduct the evaluation The outcome of the evaluation process should provide a basis for: audit team selection determination of training and other competence enhancement needs ongoing performance evaluation of auditors Auditors should develop, maintain and improve their competence through continual professional development and regular participation in audits.

Determining Auditor Competence

Overall Considerations In deciding the appropriate knowledge and skills, consider the following: the size, nature and complexity of the organisation(s) to be audited the management system disciplines to be audited the objectives and extent of the audit programme other requirements, like those imposed by external bodies, where appropriate the role of the audit process in the management system of the organisation(s) to be audited the complexity of the management system to be audited the uncertainty in achieving audit objectives

Personal Behaviours (1) An auditor must possess (or develop) the following 14 qualities: Ethical : fair, truthful, sincere, honest and discreet Open minded : willingness to consider alternative ideas or points of view Diplomatic : tact in dealing with people Observant : active observation of physical surroundings and activities Perceptive : aware of and able to understand situations Adaptable : adjust readily to different situations Tenacious : persistence, focus on achieving objectives Decisive : reaching timely conclusions based on logical reasoning and analysis Self reliant : acting and functioning independently while interacting effectively with others Continued …

Personal Behaviours (2) An auditor must possess (or develop) the following 14 qualities: (cont.) Acting with fortitude : willing to act responsibly and ethically even though these actions may not always be popular and may sometimes result in disagreement or confrontation Well organised : exhibiting effective time management, prioritisation, planning and efficiency Open to improvement : learning from situations, striving for better audit results Culturally sensitive : observe & respect cultural traditions of the auditee Team player : works well with other audit team members

Knowledge and Skills – System Auditors (1) Auditors should have knowledge and skills in audit principles, procedures and techniques so the auditor can apply those appropriate to different audits and ensure that audits are conducted in a consistent and systematic manner, including: apply audit principles, procedures, methods and techniques plan & organise the work effectively, to conduct the audit within agreed time schedule prioritise and focus on matters of significance, understand the types of auditing risks collect information through interviewing, observing, and reviewing documents & data understand the appropriateness and consequences of using sampling techniques verify the accuracy of collected information, confirm the sufficiency & appropriateness of audit evidence to support audit findings and conclusions assess those factors that may affect the reliability of audit findings and conclusions use work documents to record audit activities, prepare audit reports maintain the confidentiality and security of information communicate effectively

Knowledge and Skills – System Auditors (2) Auditors should have knowledge and skills in m anagement system and reference documents so that the auditor can comprehend the scope of audit and apply audit criteria, including: the application of management systems to different organisations interaction between the components of the management system specific management system standards, applicable procedures or other management system documents used as audit criteria recognising the hierarchy of reference documents application of the reference documents to different audit situations control and protection of information, data, documents and records organisational context: to enable the auditor to comprehend the auditee's structure, business and management practices. Knowledge and skills in this area should cover: organisational types, governance, size, structure, functions and relationships general business and management concepts, processes and related terminology (including planning, budgeting and management of personnel) cultural and social aspects of the auditee

Knowledge and Skills – System Auditors (3) Auditors should have knowledge and skills in a pplicable legal and other requirements so that apply to the auditee so that the auditor can work within, and be aware of, the organisation’s legal and contractual requirements, including: laws and regulations basic legal terminology contract and liability

Knowledge and Skills – Lead Auditor Lead auditors should have the knowledge and skills to manage and provide leadership to the audit team in order to facilitate the efficient and effective conduct of the audit, including to: balance the strengths and weaknesses of the individual audit team members develop a harmonious working relationship among the team members manage the audit process, including: plan the audit and making effective use of resources during the audit managing the uncertainty of achieving audit objectives, preventing/resolving conflicts protecting the safety and health of the audit team members during the audit organising & directing audit team members, directing and guiding the auditors-in-training represent the audit team in communications with the audit client and auditee understand and respect the experts’ opinions lead the audit team to reach audit conclusions, prepare & complete the audit report

Knowledge and Skills – Discipline & Sector Specific (1) An auditor who intends to audit a specific type of management system should have the discipline and sector specific knowledge and skills that are appropriate for auditing the particular type of management system and industry sector. Each auditor in the audit team does not need to have the same competence. However, the overall competence of the audit team needs to be sufficient to meet the audit objectives.

Knowledge and Skills – Discipline & Sector Specific (2) The discipline and sector specific knowledge and/or skills of auditors should include: understanding of the discipline and sector specific management system requirements and principles, and their application understanding applicable legal and other requirements relevant to the discipline and sector so as to enable the auditor to work within, and be aware of, the requirements those apply to the organisation being audited knowledge and skills specific to the jurisdiction and/or auditee’s obligations, activities and products understanding of the information (e.g. body of knowledge) that is fundamental to the business and technical processes, sufficient to enable the auditor to evaluate management system elements associated with the discipline understanding of discipline-specific knowledge related to the particular sector, nature of operations, or workplace being audited sufficient for the auditor to evaluate the auditee’s activities, services, processes, products and services understanding risk management principles, methods & techniques relevant to the discipline and sector to enable the auditor to examine the auditee’s approach to managing risk

Education, Work Experience, Training and Audit Experience (1) Auditors should have completed an education sufficient to acquire the knowledge and skills. They should have work experience that contributes to the development of the knowledge and skills. This work experience should be in a technical, managerial or professional position involving the exercise of judgment, decision making, problem solving and communication with managers, professionals, peers, customers and/or other interested parties. Part of the work experience should be in a position where the activities undertaken contribute to the development of knowledge and skills in a management system for which they intend to audit. They should have completed training in audit principles, procedures & techniques. They must acquire audit experience under a lead auditor’s supervision.

Education, Work Experience, Training and Audit Experience (2) An audit team leader should have acquired additional audit experience to develop the knowledge and skills. This additional experience should have been gained by working under the direction and guidance of an audit team leader. Auditors who intend to become an audit team member in the audit of combined or integrated management systems should have: the competence necessary to audit at least one management system discipline forming part of the combined or integrated management systems, as long as the audit team includes auditors with competence for all disciplines, and an understanding of the interaction and synergy between the different management systems. Note: An audit team leader conducting audits of combined or integrated management systems should meet the above recommendations and have discipline specific competence to coordinate the auditing of multiple disciplines .

Establishing the Evaluation Criteria The criteria may be qualitative (such as having demonstrated personal behaviours, knowledge or the performance of the skills, in training or in the workplace) and quantitative (such as the years of work experience and education, number of audits conducted, hours of audit training).

Selecting the Appropriate Evaluation Method (1) The evaluation should be conducted using two or more of the methods selected from those in Table 1 (next slide). In using Table 1, the following should be noted : the methods outlined represent a range of options and may not apply in all situations the various methods outlined may differ in their reliability typically, a combination of methods should be used to ensure an outcome that is objective, consistent, fair and reliable

Table 1 – Select the Appropriate Evaluation Method Evaluation Method Objectives Examples Review of Records To verify the background of the auditor Analysis of records of education, training, employment and audit experience Feedback To provide information about how the performance of the auditor is perceived Surveys , questionnaires, personal references , testimonials , complaints, performance evaluation , peer review Interview To evaluate personal behaviours and communication skills, to verify information and test knowledge and to acquire additional information Personal interviews Observation To evaluate personal behaviours and the ability to apply knowledge and skill Role playing, witnessed audits, on-the-job performance Testing To evaluate personal behaviours and knowledge and skills and their application Oral and written exams, psychometric testing Post-audit Review To provide information on the auditor performance during the audit activities, identify strengths and weaknesses Review of the audit report, interviews with the audit team leader, the audit team and, if appropriate, feedback from the auditee

Conducting the Evaluation In this step the information collected about the person is compared against the set criteria. Where a person expected to participate in the audit programme does not meet the criteria, additional training, work and/or audit experience, and a subsequent re-evaluation should be performed.

Maintenance and Improvement of Competence Auditors should maintain their auditing competence through regular participation in management system audits and continual professional development. It involves the maintenance and improvement of competence. This may be achieved through additional work experience, training, private study, coaching, seminars and conferences or other relevant activities. Auditors, audit team leaders and audit managers should continually improve their competence. The organisation needing to conduct audits should establish suitable mechanisms for the continual evaluation of the auditors, team leaders and audit managers . The continual professional development activities should take into account results of post audit reviews, changes in the needs of the individual and the organisation needing to conduct audits, the practice of auditing, standards and other requirements.

CONCLUDING REMARKS Coming to the end of this training session, you have learned about various aspects and requirements of auditing a Management System. We hope that the information provided in this training kit was helpful to you. Please utilise this knowledge, participate in internal audits, and improve your audit skills. An important suggestion: We strongly recommend every potential auditor and audit manager to procure a copy of the ISO19011:2011 standard from the ISO (Geneva) or the licensed publisher of ISO standards in his / her country. This will serve as a reference book for conducting the audit process in a standardised manner .

https://www.oeconsulting.com.sg/training-presentations]ISO g.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

https://www.oeconsulting.com.sg/training-presentations]ISO g.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx