ISO 9001 Lead Auditor Training

MODULE 5   Audit Activities
5.2 Conducting Document Review
The auditee’s documentation should be reviewed to determine the conformity of the system, as documented with the audit criteria. The documentation may include relevant management system documents and records and previous audit reports. The review should take into account the size, nature and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence, if this is not detrimental to the effectiveness of the conduct of the audit. In other situations a preliminary site visit may be conducted to obtain an overview of available information (see coverage above on preliminary site visit).

ISO 9000 Lead Auditor Training - If the documentation is found to be inadequate, the audit team leader should inform the audit client, program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.
See module 2 for details of how a documentation review should be done.

Note: The Documentation Review is now done as Stage One of the Registration Audit. The scope of the On-site stage one audit includes:

-Review conformity of the organization's QMS documentation to ISO 9001 requirements.
- Review completion of full cycle of internal audits and management review processes

Based on the evaluation of Stage One audit findings, the ISO 9001 Lead Auditor will then determine whether the organization is ready for the Stage Two Implementation Audit.

5.3 Preparing for the on-site audit activities

5.3.1 Audit Strategies
In preparing the plan, the team leader in consultation with the audit team will decide the strategy for the audit, and there are a number of options. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an order, going through technical, procurement, inventory, production, test, shipping, and service, plus taking in specialized areas along the way.

ISO 9000 Auditor Training - This approach may be termed a “process audit ”. The auditors follow a specific order or set of processes through the system and examine controls of each process along the way. The process audit approach will require the auditor to look at the following aspects of process management:

a) Controls over inputs, outputs and the value-added activities within a process
b) Controls related to the utilization of resources in converting inputs to outputs
c) Use of the PDCA methodology in applying the clauses of the ISO 9001:2000 standard to each process
d) Reviewing the controls related to the interaction, linkage and combination with other processes, both on the input and output sides
e) Evidence of measurable objectives for each process and metrics to track performance to them

Reference should be made to clause 4.1 and 8.2.3 of the ISO standard for the process approach.
Also see sections 2.2 – 2.4 of Module 2 and section 3.4 of these Course Notes.

Another strategy would be to do a product audit where the auditor would look for all the controls required by clause 7.1 for fulfilling the requirements of a specific product, service, project or contract or category of products (see section 3.4 of Module 3 of these Course Notes).

ISO 9000 Training - Yet another strategy is to consider all the activities in a particular department without reference to overall workload. This would be termed “departmental” audit and may include a number of processes within a department. Internal audits in each department often take this approach.

There are some ISO 9001 clauses that are applied across the board in all departments such as 4.2.3 for document control and 6.2.2 for training. These can be audited by themselves or in combination with process, product, department, or contract strategies.

Audits must always be planned. Audits that are not planned are likely to reflect worst practices. Audits may be termed “random”, but without an objective or a plan, then perhaps “unprofessional” should be the preferred term.

The plan, therefore, is likely to be a reflection of combined approach of both “up” and “down” and some “across” the organization. The auditors need to be sure that the plan gives them enough time in each area for sharing of information within the team and to advise the auditee organization of where they are likely to be at any given time.

Keeping the organization informed will allow them to ensure they have a member of management available in each department to meet the auditors and also to ensure that there is a guide available for the auditors for going from one department to the next. Few organizations allow external people to wander around their facilities unaccompanied. In any case, third party auditors must always have a guide. 

"Understanding ISO 9001" provides a detailed explanation of each ISO 9001 clause (requirements).

ISO 9001 FAQ provides answers to commonly asked questions about the ISO 9000 family of quality management standards.