STUDENT COURSE NOTES

ISO 9001:2015
INTERNAL AUDITOR TRAINING
COURSE
 QUALITY
MANAGEMENT
SYSTEM

TUV SUD created a conducive learning Prior knowledge

environment to ensure that the established
training objectives are met and achieve Before starting this course, Tutor informs
learning satisfaction. attendees that they are expected to have the
following prior knowledge:

a. Management systems
INTRODUCTION
• The Plan, Do, Check, Act (PDCA) cycle
THE COMPANY • The core elements of a management
system and the interrelationship
TUV SUD Philippines designed this between top management
Quality Management Systems (QMS) responsibility, policy, objectives,
Internal Auditor training course to; planning, implementation,
measurement, review and continuous
• provide attendees with the knowledge improvement.
and skills required to perform first,
second and third-party audits of Quality
b. Quality management
management systems against ISO 9001,
in accordance with ISO 19011, as • The fundamental concepts and the
applicable, seven quality management principles
(see ISO 9000).
All references to ISO standards in this • The relationship between quality
document are to the current versions, management and customer satisfaction.
unless stated otherwise.

c. ISO 9001
Course Notes;
An understanding of the requirements of
ISO 9001 and the commonly used quality
• is designed for the purpose of detailing management terms and definitions, as
the presentation of the course TUV SUD given in ISO 9000, which may be gained by
PHILS as an ISO 9001 Internal Auditor completing a CQI and IRCA Certified ISO
training course. 9001:2015 Foundation (QMS)Training
• details the minimum requirements course or equivalent
presented fully in accordance with the
company confidential nature of training
methods and materials used for this
course.
• is established and developed to ensure
that the learning objective is effectively
attained and meet the requirement, the
company’s training policy and TUV SUD
Phil’s satisfaction.

TUV SUD ME.QIT072 Rev. No.: 00 Rev. Date: 17 MAY. 2020 Page 1 of 40 FROF
Learning objectives COURSE OUTLINE

Learning objectives describe what attendees The Quality Management System Internal
shall be able to do by the end of the course. Auditor Training Course is a 2-day course
Attendees will need to demonstrate acceptable combining tutorials, group exercises and role
performance in all of these areas in order to play activities in relation to the simulated
complete the course successfully. assessment of the case study company. It will
provide with both theory and practical
By the end of the course attendees should be application in a safe learning environment.
able to attain:
COURSE FORMAT
Knowledge
This is applied for the whole duration of 2 days.
1.1.1 With reference to the PDCA cycle,
explain the process-based quality
management system model for ISO The course is formatted as follows;
9001 and the role of an internal audit
in the maintenance and improvement • The first day starts with introduction of
of quality management systems (see participants and tutor/s.
2.1). • Course outlined to view the program for
the 2-day training schedules.
1.1.2 Explain the role and responsibilities of • Training by formal tutorials, individual
an auditor to plan, conduct, report and task, group exercises and role play
follow-up an internal quality involving assessment of a fictitious
management system audit, in company.
accordance with ISO 19011. Discussion and feedbacks after the
exercises.
• The training days begin with review of
Skills the previous day topics and end in
consolidation of the learning objectives
1.1.3 Plan, conduct, report and follow-up an for the day.
internal audit of part of a quality • Breaks’ timing in between lessons.
management system based on ISO
9001, and in accordance with ISO The format and structure of the course is subject
19011. for continuing improvement by providing
allowance for adjustment or changes thus giving
both theory and practical applications in a safe
learning environment.

Courses for management system disciplines

where observation is an essential audit method
must include images (photographs and/or
video) to support and provide contexts for
learning points. For example, Quality
management, Quality management, and social
systems auditing should include images
showing a variety of facilities (factories, sites,
farms, etc) that auditors may be faced with, as
well as a variety of issues that the auditor may
face (health, safety, work activities and
environment, etc).

TUV SUD ME.QIT072 Rev. No.: 00 Rev. Date: 17 MAY. 2020 Page 2 of 40 FROF
Classroom-based training

TUV SUD PHILS provides a training

environment conducive to effective learning
and the use of accelerated and participative
training methods.

At the beginning of the course;

• a description of the learning objectives,

course structure, format and program,
responsibilities, the assessment processes
and assessment criteria, and you must also
deal with any concerns or worries that s
may have;

• course based on the learning cycle and

include opportunities to:

a) Experience new ideas and skills.

b) Reflect on their learning and identify
strengths and weaknesses.
c) Address and improve on areas of
weakness.

• a variety of learning methods to suit the

range of learning styles;
• tutor presentations and tutor-led
discussions to achieve knowledge-based
learning objectives

The course includes;

• methods for monitoring and providing

time for tutor to review tasks and
activities, and each ’s achievement of
the learning objectives;
• provision for review and remedial work
and individual coaching where
necessary

COURSE PROGRAM

Day 1 - Understanding ISO 9001:2015 Internal

Audit requirements and related issues
Day 2 - The Internal Audit process

TUV SUD ME.QIT072 Rev. No.: 00 Rev. Date: 17 MAY. 2020 Page 3 of 40 FROF
 COURSE NOTES

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 0 of 40
 DAY 1

Day 1 - Understanding of Quality Management System Internal Audit and related issues

EXERCISE 1 - DELEGATE INTRODUCTION- MINI INTERVIEW

REQUIREMENT NOTES
• Registration
• Distribution of
training materials
• Participants/Tutor • Name
introduction • Organization
• Attendance
• Responsibility
• Training rules and
regulations • Understanding of ISO 9001 (rate 1- 10)
• Introduction • Expectation in this course

Learning objectives All participants of this course are expected to have the following prior
Prior Knowledge knowledge: Please check if you have the knowledge, if not read the note
below.

a. Management systems

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 1 of 40
 b. Quality management

c. ISO 9001

Understanding QMS Internal Requirements

REQUIREMENT NOTES

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 2 of 40
 Quality The adoption of a quality management system is a strategic decision for an
Management organization that can help to improve its overall performance and provide a sound
System basis for sustainable development initiatives.
Purpose:
The potential benefits to an organization of implementing a quality management
system based on this International Standard are:

• the ability to consistently provide products and services that meet customer and
applicable statutory and regulatory requirements;
• facilitating opportunities to enhance customer satisfaction;
• addressing risks and opportunities associated with its context and objectives;
• the ability to demonstrate conformity to specified quality management system
requirements.

The quality management system requirements specified in this International Standard

are complementary to requirements for products and services.

BUSINESS With improved QMS implementation, organization can:

BENEFITS of
improving • Error Reduction in product and services.
QMS • Manage changes effectively
• Increased Productivity
• Improved business performance

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 3 of 40
 hilippines nternal ditor raining o rse ss ed . .

REQUIREMENT NOTES
Structure and ISO 9001 Standard promotes the adoption of a process approach when developing,
content of ISO implementing and improving the effectiveness of a quality management system, to
9001 based on enhance customer satisfaction by meeting customer requirements.
PDCA cycle
The process approach involves the systematic definition and management of
Process-based processes, the interrelationships and interdependencies among the processes of the
ISO 9001 system, to achieve the intended results by using the PDCA cycle with an overall focus
on risk-based thinking aimed at taking advantage of opportunities and preventing
undesirable results.

The PDCA model provides an iterative process used by organizations to achieve

continual improvement. It can be applied to all management system and to each of
its individual elements.

ISO 9001 requirements in PDCA cycle:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 4 of 40
 REQUIREMENT NOTES
Quality
Management
Systems
Processes

QUALITY
MANAGEMENT
SYSTEM
OBJECTIVES

QUALITY
MANAGEMENT
SYSTEM
PROCESS

Relationship between Quality Management System purpose, processes and its significance of
these for QMS auditor.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 5 of 40
 WORKSHOP 1 – ISO 9001:2015 Requirements Interrelationship

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 6 of 40
 ISO 19011:2018 Guidelines for auditing management systems and its terminologies

WORKSHOP 2 – Terms and Definitions

REQUIREMENT NOTES
Seven INTEGRITY:
principles of the foundation of professionalism
auditing
FAIR PRESENTATION:
the obligation to report truthfully and accurately

DUE PROFESSIONAL CARE:

the application of diligence and judgement in auditing

CONFIDENTIALITY:
security of information

INDEPENDENCE:
the basis for the impartiality of the audit and objectivity of the audit
conclusions

EVIDENCE-BASED APPROACH:
the rational method for reaching reliable and reproducible audit
conclusions in a systematic audit process

RISK-BASED APPROACH:
audits are focused on matters that are significant for the audit client, and
for achieving the audit program objectives.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 7 of 40
 TERMS AND Referring to ISO 9000 review the definition of the terms in the table.
DEFINITION These terms and definitions are the terminology used in this international
USE IN standard and is commonly used in auditing.
AUDITING
ACCORDING Audit program
TO ISO Requirement
19011:2018 Audit Evidence
Audit
Audit Objective
Effectiveness
Audit Plan
Process
Audit Findings
Audit Conclusion
Audit Criteria
Audit Scope
Internal Audit

INTERNAL REQUIREMENTS
AUDIT
The organization shall:

• conduct internal audits at planned intervals

• plan, establish, implement and maintain an audit program(s)
including the frequency, methods, responsibilities, planning
requirements and reporting,
• take into consideration the importance of the processes concerned,
changes affecting the organization, and the results of previous
audits;
• define the audit criteria and scope for each audit;

Internal audit is performed to:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 8 of 40
 INTERNAL • verify the quality management system of an organization:
AUDIT • determine and meet conformance and capability;
OBJECTIVES • evaluate effectiveness and identification of potential improvement;
suggest how these different types of audit can contribute to the
maintenance and improvement of quality management systems

hilippine nternal ditor o rse ss ed . .

EXERCISE 2
REQUIREMENT NOTES
Types of Audit The table shows the different types of audits and its typical audit objective with
its contribution to the organization.

The illustration gives internal auditors confidence that each type of audit needs
their contribution for an effective implementation of the management system.

In the following activities, identify what type of audit.

Activities Type of Audit

Auditing firm hired to audit a manufacturing industry for its ability to comply
with the requirements of a Trading company who hires the firm.

Auditing firm hired to audit the stores of the Trading company who hires the
firm and report the result to the Trading company.

Trading company under auditing by firm to check for effectiveness of the

company’s Food afety Management ystem for compliance to Global
Certification Body.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 9 of 40
 Trading company outsourced their internal audit, send HR to see qualified
auditing firm to verify if it meets their requirements.

Manufacturing company is audited in response to the requirements of the

Trading company that their suppliers subscribe to a certifying organization
internationally recognized.

Regulatory body auditing an organization for its compliance to regulatory

requirements.

ompany hired an external a ditor to verify their s bcontractor’s capacity to

supply required services.

diting firm hired to a dit the company’s different sites.

Organization supplying products to oil and gas company audits their

capability to supply products.

Auditing firm hired by consultant to verify food manufacturing company to

meet food catering requirements.

REQUIREMENT NOTES
Audit Process The outline of audit process that typically define the sequence of
Flow conducting the audit.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 10 of 40
 Auditing activities are step-by-step methods for;
• preparing,
• performing,
• reporting, and
• follow-up audit.

As per ISO 19011:2018, the diagram illustrates audit management. The

audit program is established that include defining the objective, scope
and criteria for an individual audit.

AUDIT PROGRAM is the arrangements for a set of one or more audits

planned for a specific time frame and directed towards a specific
purpose.

5. Managing
audit program

An audit program should be established which can include audits

addressing one or more management system standards or other
requirements, conducted either separately or in combination.

The individual(s) managing the audit program should have the necessary
competence to manage the program and its associated risks and
opportunities,

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 11 of 40
 In order to understand the context of the auditee, the audit program
sho ld take into acco nt the a ditee’s

• organizational objectives;
• relevant external and internal issues;
• the needs and expectations of relevant interested parties;
• information security and confidentiality requirements.

The planning of internal audit programs and, in some cases programs for
auditing external providers, can be arranged to contribute to other
objectives of the organization.

The individual managing the audit program should ensure;

• the integrity of the audit is maintained and

• that there is not undue influence exerted over the audit.

Audit priority should be given to allocating resources and methods to

matters in a management system with higher inherent risk and lower
level of performance.

Competent individuals should be assigned to manage the audit program.

The audit program should include information and identify resources to

enable the audits to be conducted effectively and efficiently within the
specified time frames.

The implementation of the audit program should be monitored and

measured on an ongoing basis to ensure its objectives have been
achieved.

The audit program should be reviewed in order to identify needs for

changes and possible opportunities for improvements.

hilippine nternal ditor o rse ss ed . .

REQUIREMENT NOTES
6. Conducting 6.1 General
the Audit

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 12 of 40
 This clause contains guidance on preparing and conducting a specific audit
as part of an audit program.

6.1 Typical
Figure 2 provides an overview of the activities performed in a typical audit.
Audit
The extent to which the provisions of this clause are applicable depends on
Activities
the objectives and scope of the specific audit.

Figure 2

6.2 initiating
6.2.1 The responsibility for conducting the audit should remain with the
the audit
assigned audit team leader until the audit is completed.

To initiate an audit, the steps in Figure 1 (see slide 207) should be

considered; however, the sequence can differ depending on the auditee,
processes and specific circumstances of the audit.

6.2.2 Establishing contact with auditee

The audit team leader should ensure that contact is made with the auditee to:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 13 of 40
 a confirm comm nication channels with the a ditee’s representatives;
b) confirm the authority to conduct the audit;
c) provide relevant information on the audit objectives, scope, criteria,
methods and audit team composition, including any technical experts;
d) request access to relevant information for planning purposes including
information on the risks and opportunities the organization has identified
and how they are addressed;
e) determine applicable statutory and regulatory requirements and other
requirements relevant to the activities, processes, products and services
of the auditee;
f) confirm the agreement with the auditee regarding the extent of the
disclosure and the treatment of confidential information;
g) make arrangements for the audit including the schedule;
h) determine any location-specific arrangements for access, health and
safety, security, confidentiality or other;
i) agree on the attendance of observers and the need for guides or
interpreters for the audit team;
j) determine any areas of interest, concern or risks to the auditee in relation
to the specific audit;
k) resolve issues regarding composition of the audit team with the auditee or
audit client.

6.2.3 Determining feasibility of audit

The feasibility of the audit should be determined to provide reasonable

confidence that the audit objectives can be achieved.

Where the audit is not feasible, an alternative should be proposed to the audit
client, in agreement with the auditee.

hilippines nternal ditor o rse ss ed . .

REQUIREMENT NOTES
6.3.1 The relevant management system documented information of the auditee
Performing should be reviewed in order to:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 14 of 40
 review of
documented ▪ gather information to nderstand the a ditee’s operations and to
information prepare audit activities and applicable audit work documents (see
6.3.4), e.g. on processes, functions;
▪ establish an overview of the extent of the documented information to
determine possible conformity to the audit criteria and detect possible
areas of concern, such as deficiencies, omissions or conflicts.

The documented information should include, but not be limited to:

• management system documents and records, as well as

• previous audit reports.

The review should take into account;

• the context of the a ditee’s organization, incl ding its size, nat re
and complexity,
• its related risks and opportunities.
• the audit scope, criteria and objectives.

6.3.2 Audit 6.3.2.1 Risk-based approach to planning

Planning
The audit team leader should adopt a risk-based approach to planning the
audit based on the information in the audit programme and the
documented information provided by the auditee.

Audit planning should consider the risks of the audit activities on the
a ditee’s processes and provide the basis for the agreement among the
audit client, audit team and the auditee regarding the conduct of the audit.

Planning should facilitate the efficient scheduling and coordination of the

audit activities in order to achieve the objectives effectively.

The amount of detail provided in the audit plan should reflect the scope
and complexity of the audit, as well as the risk of not achieving the audit
objectives. In planning the audit, the audit team leader should consider the
following:

a) the composition of the audit team and its overall competence;

b) the appropriate sampling techniques (see A.6);
c) opportunities to improve the effectiveness and efficiency of the audit
activities;
d) the risks to achieving the audit objectives created by ineffective audit
planning;
e) the risks to the auditee created by performing the audit.

Risks to the auditee can result from the presence of the audit team
members adversely infl encing the a ditee’s arrangements for health and
safety, environment and quality, and its products, services,
personnel or infrastructure (e.g. contamination in clean room facilities).

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 15 of 40
 6.3.2.2 Audit planning details

The scale and content of the audit planning can differ, for example,
between initial and subsequent audits, as well as between internal and
external audits. Audit planning should be sufficiently flexible to permit
changes which can become necessary as the audit activities progress.

Audit planning should take into account, as appropriate:

▪ identification of the a ditee’s representative s for the a dit;

▪ the working and reporting language of the audit where this is different
from the language of the auditor or the auditee or both;
▪ the audit report topics;
▪ logistics and communications arrangements, including specific
arrangements for the locations to be audited;
▪ any specific actions to be taken to address risks to achieving the audit
objectives and opportunities arising;
▪ matters related to confidentiality and information security;
▪ any follow-up actions from a previous audit or other source(s) e.g.
lessons learned, project reviews;
▪ any follow-up activities to the planned audit;
• coordination with other audit activities, in case of a joint audit.

The audit team leader, in consultation with the audit team, should assign to
6.3.3 Assigning each team member responsibility for auditing specific processes, activities,
work to audit functions or locations and, as appropriate,
team authority for decision-making.

Such assignments should take into account the impartiality and objectivity
and competence of auditors and the effective use of resources, as well as
different roles and responsibilities of auditors, auditors-in-training and
technical experts.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 16 of 40
 Audit team meetings should be held, as appropriate, by the audit team
leader in order to allocate work assignments and decide possible changes.
Changes to the work assignments can be made as the audit progresses in
order to ensure the achievement of the audit objectives.

6.3.4 Preparing
Documented
Information for
Audit

The audit team members should collect and review the information
relevant to their audit assignments and prepare documented information
for the audit, using any appropriate media. The documented
information for the audit can include but is not limited to:

a) physical or digital checklists;

b) audit sampling details;
c) audio visual information.

The use of these media should not restrict the extent of audit activities,
which can change as a result of information collected during the audit.

Documented information prepared for, and resulting from, the audit should
be retained at least until audit completion, or as specified in the audit
program.

Documented information created during the audit process

involving confidential or proprietary information should be suitably
safeguarded at all times by the audit team members.

EXERCISE: 3 - AUDIT CHECKLIST PREPARATION

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 17 of 40
 hilippines nternal ditor o rse ss ed . .

REQUIREMENT NOTES
6.4.1 General Audit activities are normally conducted in a defined sequence as
indicated in Figure 1.

This sequence may be varied to suit the circumstances of specific audits.

6.4.2 Assigning Guides and observers may accompany the audit team with approvals
roles and from the audit team leader, audit client and/or auditee, if required. They
responsibilities should not influence or interfere with the conduct of the audit.
of guides and If this cannot be assured, the audit team leader should have the right to
observers deny observers from being present during certain audit activities.

For observers, any arrangements for access, health and safety,

environmental, security and confidentiality should be managed between
the audit client and the auditee.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 18 of 40
 Guides, appointed by the auditee, should assist the audit team and act
on the request of the audit team leader or the auditor to which they have
been assigned. Their responsibilities should include the following:

a) assisting the auditors in identifying individuals to participate in

interviews and confirming timings and locations;
b) arranging access to specific locations of the auditee;
c) ensuring that rules concerning location-specific arrangements for
access, health and safety, environmental, security, confidentiality and
other issues are known and respected by the audit team members
and observers and any risks are addressed;
d) witnessing the audit on behalf of the auditee, when appropriate;
e) providing clarification or assisting in collecting information, when
needed.

6.4.3 The purpose of the opening meeting is to:

Conducting
opening a) confirm the agreement of all participants (e.g. auditee, audit team) to
meeting the audit plan;
b) introduce the audit team and their roles;
c) ensure that all planned audit activities can be performed.

n opening meeting sho ld be held with the a ditee’s management and,

where appropriate, those responsible for the functions or processes to be
audited. During the meeting, an opportunity to ask questions should be
provided.

The degree of detail should be consistent with the familiarity of the

auditee with the audit process. In many instances, e.g. internal audits in
a small organization, the opening meeting may simply consist of
communicating that an audit is being conducted and explaining the
nature of the audit.

For other audit situations, the meeting may be formal and records of
attendance should be retained.

The meeting should be chaired by the audit team leader

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 19 of 40
 DAY 2

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 20 of 40
 REQUIREMENT NOTES
Review of day 1 6. CONDUCTING THE AUDIT

6.4.4 During the audit, it may be necessary to make formal arrangements for
Communicating communication within the audit team, as well as with the auditee, the audit
during client and potentially with external interested parties (e.g. regulators),
Audit especially where statutory and regulatory requirements require mandatory
reporting of nonconformities.

The audit team should confer periodically to exchange information, assess

audit progress and reassign work between the audit team members, as
needed.

During the audit, the audit team leader should periodically communicate
the progress, any significant findings and any concerns to the auditee and
audit client, as appropriate. Evidence collected during the audit that
suggests an immediate and significant risk should be reported without
delay to the auditee and, as appropriate, to the audit client. Any concern
about an issue outside the audit scope should be noted and reported to the
audit team leader, for possible communication to the audit client and
auditee.

Where the available audit evidence indicates that the audit objectives are
unattainable, the audit team leader should report the reasons to the audit
client and the auditee to determine appropriate action.

Such action may include changes to audit planning, the audit objectives or
audit scope, or termination of the audit.

Any need for changes to the audit plan which may become apparent as
auditing activities progress should be reviewed and accepted, as
appropriate, by both the individual(s) managing the audit program and the
audit client, and presented to the auditee.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 21 of 40
 6.4.5 Audit The audit methods chosen for an audit depend on the defined audit
information objectives, scope and criteria, as well as duration and location. The
availability and location is where the information needed for the specific audit activity is
access available to the audit team. This may include physical and virtual locations.
Where, when and how to access audit information is crucial to the audit.

This is independent of where the information is created, used and/or

stored. Based on these issues, the audit methods need to be
determined (see Table A.1). The audit can use a mixture of methods. Also,
audit circumstances may mean that the methods need to change during
the audit.

hilippines nternal ditor o rse ss ed . .

WORKSHOP 3 – DOCUMENT REVIEW

REQUIREMENT NOTES
6.4.6 he a ditee’s relevant doc mented information sho ld be
REVIEWING reviewed to:
DOCUMENTED
INFORMATION • determine the conformity of the system, as far as
WHILE documented, with audit criteria;
CONDUCTING • gather information to support the audit activities.
AUDIT
The review may be combined with the other audit activities and
may continue throughout the audit, providing this is not
detrimental to the effectiveness of the conduct of the audit.

If adequate documented information cannot be provided within

the time frame given in the audit plan, the audit team leader

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 22 of 40
 should inform both the individual(s) managing the audit program
and the auditee. Depending on the audit objectives and scope, a
decision should be made as to whether the audit should be
continued or suspended until documented information concerns
are resolved.

eference

hilippines nternal ditor o rse ss ed . .

REQUIREMENT NOTES
6.4.7 Collecting The figure above provides an overview of a typical process, from
and verifying collecting information to reaching audit conclusions
information
During the audit, information relevant to the audit objectives, scope and
criteria, including information relating to interfaces between functions,
activities and processes should be collected by means of
appropriate sampling and should be verified, as far as practicable.

Only information that can be subject to some degree of verification

should be accepted as audit evidence. Where the degree of verification
is low the auditor should use their professional judgement to determine
the degree of reliance that can be placed on it as evidence. Audit
evidence leading to audit findings should be recorded. If, during the
collection of objective evidence, the audit team becomes aware of any
new or changed circumstances, or risks or opportunities, these should
be addressed by the team accordingly.

Verifying Insofar as practicable, the auditors should consider whether the

information information provides sufficient objective evidence to demonstrate that
requirements are being met, such as being:

a) complete (all expected content is contained in the documented

information);

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 23 of 40
 b) correct (the content conforms to other reliable sources such as
standards and regulations);
c) consistent (the documented information is consistent in itself and
with related documents);
d) current (the content is up to date).

It should also be considered whether the information being verified

provides sufficient objective evidence to demonstrate that requirements
are being met.

If information is provided in a manner other than expected (e.g. by

different individuals, alternate media), the integrity of the evidence
should be assessed.

Specific care is needed for information security due to applicable

regulations on protection of data (in particular for information which lies
outside the audit scope, but which is also contained in the
document)

Selecting The sources of information selected may vary according to the scope
sources of and complexity of the audit and may include the following:
information
a) interviews with employees and other individuals;
b) observations of activities and the surrounding work environment and
conditions;
c) documented information, such as policies, objectives, plans,
procedures, standards, instructions, licenses and permits,
specifications, drawings, contracts and orders;
d) records, such as inspection records, minutes of meetings, audit
reports, records of monitoring program and the results of
measurements;
e) data summaries, analyses and performance indicators;
f) information on the a ditee’s sampling plans and on any proced res
for the control of sampling and measurement processes;
g) reports from other sources, e.g. customer feedback, external surveys
and measurements, other relevant information from external parties
and external provider ratings;
h) databases and websites;
i) simulation and modelling.

Conducting Interviews are an important means of collecting information and should

interviews be carried out in a manner adapted to the situation and the individual
interviewed, either face to face or via other means of communication.
However, the auditor should consider the following:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 24 of 40
 a) interviews should be held with individuals from appropriate levels
and functions performing activities or tasks within the audit scope;
b) interviews should normally be conducted during normal working
hours and, where practical, at the normal workplace of the individual
being interviewed;
c) attempts should be made to put the individual being interviewed at
ease prior to and during the interview;
d) the reason for the interview and any note taking should be explained;
e) interviews may be initiated by asking individuals to describe their
work;
f) the type of question used should be carefully selected (e.g. open,
closed, leading questions, appreciative inquiry);
g) awareness of limited non-verbal communication in virtual settings;
instead focus should be on the type of questions to use in finding
objective evidence;
h) the results from the interview should be summarized and reviewed
with the interviewed individual;
i) the interviewed individuals should be thanked for their participation
and cooperation

hilippines nternal ditor o rse ss ed . .

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 25 of 40
 REQUIREMENT NOTES
6.4.8 Generating Audit evidence should be evaluated against the audit criteria in order
audit findings to determine audit findings. Audit findings can indicate conformity or
nonconformity with audit criteria. When specified by the audit plan,
individual audit findings should include conformity and good
practices along with their supporting evidence, opportunities for
improvement, and any recommendations to the auditee.

Nonconformities and their supporting audit evidence should be

recorded.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 26 of 40
 Nonconformities can be graded depending on the context of the
organization and its risks. This grading can be;

• quantitative (e.g. 1 to 5) and

• qualitative (e.g. minor, major).

They should be reviewed with the auditee in order to obtain

acknowledgement that the audit evidence is accurate and that the
nonconformities are understood. Every attempt should be made to
resolve any diverging opinions concerning the audit evidence or
findings. Unresolved issues should be recorded in the audit report.

The audit team should meet as needed to review the audit findings
at appropriate stages during the audit.

WRITING
NONCONFORMITY

WORKSHOP 4 – INTERVIEWING THE AUDITEE

WORKSHOP 5 – AUDIT ROLE PLAY

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 27 of 40
 EXERCISE 4: - Evaluate the scenario and write a nonconformity
report.

REQUIREMENT NOTES
6.4.9 6.4.9.1 Preparation for closing meeting
Determining
audit The audit team should confer prior to the closing meeting in
conclusions order to:

a) review the audit findings and any other appropriate

information collected during the audit, against the audit
objectives;
b) agree on the audit conclusions, taking into account the
uncertainty inherent in the audit process;
c) prepare recommendations, if specified by the audit plan;
d) discuss audit follow-up, as applicable.

6.4.9.2 Content of audit conclusions

Audit conclusions should address issues such as the

following:

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 28 of 40
 a) the extent of conformity with the audit criteria and
robustness of the management system, including the
effectiveness of the management system in meeting the
intended outcomes, the identification of risks and
effectiveness of actions taken by the auditee to address
risks;
b) the effective implementation, maintenance and
improvement of the management system;
c) achievement of audit objectives, coverage of audit scope
and fulfilment of audit criteria;
d) similar findings made in different areas that were audited
or from a joint or previous audit for the purpose of
identifying trends.

If specified by the audit plan, audit conclusions can lead to

recommendations for improvement, or future auditing
activities.

6.4.10
Conducting A closing meeting should be held to present the audit findings
closing meeting and conclusions.

The closing meeting should be chaired by the audit team

leader and attended by the management of the auditee and
include, as applicable:

• those responsible for the functions or processes which have

been audited;
• the audit client;
• other members of the audit team;
• other relevant interested parties as determined by the audit
client and/or auditee.

If applicable, the audit team leader should advise the auditee

of situations encountered during the audit that may decrease
the confidence that can be placed in the audit conclusions. If
defined in the management system or by agreement with the
audit client, the participants should agree on the time frame
for an action plan to address audit findings.

As appropriate, the following should be explained to the

auditee in the closing meeting:

a) advising that the audit evidence collected was based on a

sample of the information available and is not necessarily
fully representative of the overall effectiveness of the
a ditee’s processes;
b) the method of reporting;
c) how the audit finding should be addressed based on the
agreed process;

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 29 of 40
 d) possible consequences of not adequately addressing the
audit findings;
e) presentation of the audit findings and conclusions in such
a manner that they are understood and acknowledged by
the a ditee’s management;
f) any related post-audit activities (e.g. implementation and
review of corrective actions, addressing audit complaints,
appeal process).

Any diverging opinions regarding the audit findings or

conclusions between the audit team and the auditee should
be discussed and, if possible, resolved. If not resolved, this
should be recorded.

If specified by the audit objectives, opportunities for

improvement recommendations may be presented.

It should be emphasized that recommendations are not

binding.

REQUIREMENT NOTES
6.5 Preparing and 6.5.1 Preparing audit report
distributing audit
report The audit team leader should report the audit conclusions in
accordance with the audit program.

The audit report should provide a complete, accurate, concise and

clear record of the audit, and should include or refer to the following:

a) audit objectives;

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 30 of 40
 b) audit scope, particularly identification of the organization (the
auditee) and the functions or processes audited;
c) identification of the audit client;
d) identification of a dit team and a ditee’s participants in the a dit;
e) dates and locations where the audit activities were conducted;
f) audit criteria;
g) audit findings and related evidence;
h) audit conclusions;
i) a statement on the degree to which the audit criteria have been
fulfilled;
j) any unresolved diverging opinions between the audit team and the
auditee;
k) audits by nature are a sampling exercise; as such there is a risk
that the audit evidence examined is not representative.

6.5.2 Distributing audit report

The audit report should be issued within an agreed period of time. If it

is delayed, the reasons should be communicated to the auditee and
the individual(s) managing the audit program.

The audit report should be dated, reviewed and accepted, as

appropriate, in accordance with the audit
program.

The audit report should then be distributed to the relevant interested

parties defined in the audit program or audit plan.

When distributing the audit report, appropriate measures to ensure

confidentiality should be considered.

6.6 COMPLETING
THE AUDIT The audit is completed when all planned audit activities have been
carried out, or as otherwise agreed with the audit client (e.g. there
might be an unexpected situation that prevents the audit being
completed according to the audit plan).

Documented information pertaining to the audit should be retained or

disposed of by agreement between the participating parties and in
accordance with audit program and applicable requirements.

Unless required by law, the audit team and the individual(s) managing
the audit program should not disclose any information obtained during
the audit, or the audit report, to any other party without the explicit
approval of the audit client and, where appropriate, the approval of
the auditee. If disclosure of the contents of an audit document is
required, the audit client and auditee should be informed as soon

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 31 of 40
 as possible.

Lessons learned from the audit can identify risks and opportunities for
the audit program and the auditee.

M
determine if correction is
acceptable,
erify effective
implementation of the
corrective action on set
follow p a dit
lose the a dit if corrective
action to nonconformity is
effectively implemented.

hilippines nternal ditor o rse ss ed . .

REQUIREMENT NOTES
6.7 Audit follow-up The outcome of the audit can, depending on the audit objectives,
indicate the need for corrections, or for corrective actions, or
opportunities for improvement. Such actions are usually decided
and undertaken by the auditee within an agreed timeframe. As
appropriate, the auditee should keep the individual(s) managing the
audit program and/or the audit team informed of the status of these
actions.

The completion and effectiveness of these actions should be

verified. This verification may be part of a subsequent audit.
Outcomes should be reported to the individual managing the audit
program and reported to the audit client for management review.

The evidence obtained to support the resolution of nonconformities

Verification of shall:
Cause Analysis of Be recorded
Nonconformities: Informed auditee of the result of the review and verification,
Informed if;
an additional full audit,
an additional limited audit, or
documented evidence will be needed to verify effective correction
and corrective actions.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 32 of 40
 CORRECTIVE
ACTION PROCESS

Corrections and corrective actions submitted by auditee are

effective when auditor:

• reviews the:

- corrections,
- identified causes and
- corrective actions

• verifies its effectiveness

• records evidence obtained to support the resolution of
nonconformities.
• informs client of the result of the review and verification.

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 33 of 40
 ,

hilippines nternal ditor o rse ss ed . .

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 34 of 40
 EXAMINATION

TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 35 of 40
TÜV SÜD Philippines | ISO 9001:2015 Internal Audit FROF Issued: 03.07.2022 Page 36 of 40