ISO 9001:2015

Quality Management
System Auditor
Quality

“The degree to which a set of inherent

characteristics of an object fulfils
requirements.”
(ISO 9000:2015)
“
Management system = set of interrelated or
interacting elements of an organization to establish
policies and objectives, and processes to achieve
those objectives.

Joseph M. Juran W. Edwards Deming

Quality Management
Principles
01. Customer focus 02. Leadership
Meet customer Leaders establish unity of
requirements and exceed purpose and direction.
his expectations.

03. Engagement of 04. Process approach 05. Improvement

people
Competent, empowered and Activities should be Successful organizations
engaged people are managed as processes in a have an ongoing focus on
essential to deliver value. coherent system. improvement.

06. Evidence-based 07. Relationship

decision making management
Decision based on analysis Manage the relationships
and evaluation are more with interested parties for
likely to produce desired sustained success.
results.
Standards in the ISO 9000 series

ISO 9000 ISO/TS 9002

Fundamentals and Guidelines for the

vocabulary application of ISO 9001

ISO 9004 ISO 19011

Guidance to achieve Guidelines for auditing

sustained success management systems
ISO 9001
Requirements for a quality management system

1987 2000 2015

First edition of Third edition of Fifth (and current)
ISO 9001 ISO 9001 edition of ISO 9001

1994 2008
Second edition Fourth edition
of ISO 9001 of ISO 9001
Sector specific standards
for quality management
(based on ISO 9001)

ISO 13485 ISO/IEC/IEEE 90003

Quality management system requirements for organizations Guidelines for the application of ISO 9001:2015 to
involved in the design, production, installation and servicing computer software.
of medical devices and related services.

ISO 29001 ISO 18091

Quality management system requirements for product Guidelines for the application of ISO 9001 in local
and service supply organizations to the petroleum, government.
petrochemical and natural gas industries.

iso.org
Certification to ISO 9001

For companies For persons

▪ After passing an audit ▪ Involves an exam

▪ From an accredited certification body ▪ Different levels (e.g., practitioner, auditor, lead
auditor)
▪ Valid for 3 years
▪ Yearly surveillance audits
Process approach

Process
Set of interrelated or interacting activities that use inputs to deliver an intended result.

Inputs
Requirements for Results
products and services Products and services
to be purchased. purchased.

Purchasing
Manufacturing
Identification and selection of
suppliers. Comparing offers. Receiving
products/ services and verifying their
conformity.
Plan-Do-Check-Act (PDCA)
Method used to control and improve the processes.
Can be applied to individual process and to the QMS.

Clauses 4, 5, 6, 7, 8, 9 and 10 of ISO 9001:2015

in relation to the PDCA cycle
(source ISO 9001:2015)
Risk-based thinking

Identify risks and address them to

improve organizational performance
and the ability to meet requirements.
Risk

The effect (deviation from

expected) of uncertainty.
ISO 9000:2015
The structure of ISO 9001:2015
Clause Title Clause Title Clause Title
1. Scope 8. Operation 9. Performance evaluation
2. Normative references 8.1. Operational planning and control 9.1. Monitoring, measurement, analysis and evaluation
3. Terms and definitions 8.2. Requirements for products and services 9.1.1. General
4. Context of the organization 8.2.1. Customer communication 9.1.2. Customer satisfaction
4.1. Understanding the organization and its context 8.2.2. Determining the requirements for products and services 9.1.3. Analysis and evaluation
4.2. Understanding the needs and expectations of interested parties 8.2.3. Review of the requirements for products and services 9.2. Internal audit
4.3. Determining the scope of the quality management system 8.2.4. Changes to requirements for products and services 9.3. Management review
4.4. Quality management system and its processes 8.3. Design and development of products and services 9.3.1. General
5. Leadership 8.3.1. General 9.3.2. Management review inputs
5.1. Leadership and commitment 8.3.2. Design and development planning 9.3.3. Management review outputs
5.1.1. General 8.3.3. Design and development inputs 10. Improvement
5.1.2. Customer focus 8.3.4. Design and development controls 10.1. General
5.2. Policy 8.3.5. Design and development outputs 10.2. Nonconformity and corrective action
5.2.1. Establishing the quality policy 8.3.6. Design and development changes 10.3. Continual improvement
5.2.2. Communicating the quality policy 8.4. Control of externally provided processes, products and services
5.3. Organizational roles, responsibilities and authorities 8.4.1. General
6. Planning 8.4.2. Type and extent of control
6.1. Actions to address risks and opportunities 8.4.3. Information for external providers
6.2. Quality objectives and planning to achieve them 8.5. Production and service provision
6.3. Planning of changes 8.5.1. Control of production and service provision
7. Support 8.5.2. Identification and traceability
7.1. Resources 8.5.3. Property belonging to customers or external providers
7.1.1. General 8.5.4. Preservation
7.1.2. People 8.5.5. Post-delivery activities
7.1.3. Infrastructure 8.5.6. Control of changes
7.1.4. Environment for the operation of processes 8.6. Release of products and services
7.1.5. Monitoring and measuring resources 8.7. Control of nonconforming outputs
7.1.6. Organizational knowledge
7.2. Competence
7.3. Awareness
7.4. Communication
7.5. Documented information
7.5.1. General
7.5.2. Creating and updating
7.5.3. Control of documented information
The context of the
organization

The organization shall determine the

internal and external issues that are
relevant to its purpose and its strategic
direction and that affect its ability to
achieve the intended outcomes of the
quality management system.
Context of the
organization

External issues (examples) Internal issues (examples)

▪ Economic factors (e.g., inflation forecast, credit ▪ Resources available

availability)
▪ Governance
▪ Social factors (e.g., education levels, unemployment
▪ Organizational culture
rates)
▪ Political factors (e.g., trade agreements, political
stability)
▪ Technological factors
▪ Market factors (e.g., competition, supply chain
relationships)
▪ Statutory and regulatory requirements on the work
environment
Audit suggestions
(Understanding the organization
and its context)

If available documents like a SWOT analysis

or PESTLE analysis can be very useful,
however ISO 9001 does not ask for
documented information on the external and
internal issues.
Interviews to collect information.
Needs and expectations
of interested parties

The organization shall determine the

interested parties that are relevant to the
QMS and their requirements.

Examples of interested parties (besides customers and users of

the products and services) include authorities, employees,
shareholders, competitors, banks, NGOs, suppliers, local
community groups, etc.
Audit suggestions
(Understanding the needs and
expectations of interested parties)

No requirement for documented information

to be created by the organization.
Interviews should be conducted, and the
information can be confirmed by reviewing
documents like contracts, permits, licenses,
regulations, protocols, etc.
The scope of the
QMS

The organization shall determine the

boundaries and applicability of the
quality management system to
establish its scope.
Not applicable
requirements

The organization shall apply all the

requirements of ISO 9001 if they are
applicable within the scope of the QMS.
Audit suggestions
(Determining the scope of the QMS)

The scope of the QMS shall be available as

documented information.
Consider the justification for any
requirements determined as not applicable.
The scope should be clear in terms of
activities, products, services, locations.
In time the scope may be subject to changes.
The processes of
the QMS

The organization shall determine the

processes needed for the QMS.
Different types of processes

Strategic processes Core processes

Require the involvement of That create value to the

top management (e.g., organization.
strategic planning, defining
policies and objectives, etc.).

Support processes Measurement, analysis and

improvement processes
They support the core Like customer satisfaction
processes (e.g., procurement, monitoring, data analysis,
equipment maintenance, internal auditing, etc.
budgeting, etc.).
QMS processes
Maintain vs. retain
documented information

Maintain documented information to

support the operation of processes.
(procedures, work instructions, manuals, etc.)
Retain documented information to
have confidence that processes are
carried out as planned.
(records)
Audit suggestions
(QMS and its processes)

The organization understands the process

approach recommended by ISO 9001?
The processes of the QMS have been
identified (including their interactions)?
Is there documented information available
(e.g., process map)?
Leadership and
commitment

Top management shall demonstrate

leadership and commitment with
respect to the quality management
system.
Leadership and
commitment

Be accountable for the QMS.

Ensure that a quality policy and quality objectives are established.
Integrate the QMS into the day-to-day the business.
Promote the process approach and risk-based thinking.
Provide resources.
Communicate about the QMS and its importance.
Ensure the QMS achieves the intended results.
Engage, support and direct others to contribute to the QMS.
Promote improvement.
Support other management roles to demonstrate their leadership.
Audit suggestions
(Leadership and commitment)

Interviews with the top management and

with other persons in the organization.
Review of documents (e.g., communications,
policies, financial records, etc.)
Customer focus

The top management shall

demonstrate leadership and
commitment with respect to customer
focus.
Audit suggestions
(Customer focus)

Interviews with the top management and

employees.
Review of documents.
Observation.
The quality
policy

Top management shall establish,

implement and maintain a quality
policy.
The quality policy

Establishing the quality policy Communicating the quality policy

▪ Appropriate to the context of the organization. ▪ Available and maintained as documented information.
▪ Supports its strategic direction. ▪ Communicated, understood and applied in the
organization.
▪ Includes a commitment to satisfy applicable
requirements. ▪ Available to interested parties, as appropriate.
▪ Includes a commitment to continual improvement of
the QMS.
▪ Provides a framework for setting quality objectives.
Audit suggestions
(Policy)

The policy document shall be available for review.

How is the policy communicated in the
organization?
Conduct interviews with the people in the
organization.
The persons working for the organization are
aware of the existence of the policy?
Is the policy understood?
Roles, responsibilities
and authorities

The organization shall ensure that the

responsibilities and authorities for
relevant roles are assigned,
communicated and understood in the
organization.
Roles, responsibilities
and authorities

Assign responsibilities and authorities to:

- ensure that the QMS conforms to the requirements
of ISO 9001;
- ensure that processes deliver the intended outputs;
- report on the performance of the QMS and
opportunities for improvement;
- promote customer focus;
- maintain the integrity of the QMS in case of
changes.
Audit suggestions
(Organizational roles,
responsibilities and authorities)

How responsibilities and authorities are

communicated.
Confirm that the persons responsible for the
QMS are aware of their assignments.
Risks and
opportunities

The organization shall determine the

risks and opportunities that need to be
addressed to give assurance that the
QMS can achieve its intended results,
to enhance desirable effects, to
prevent or reduce undesired effects
and to achieve improvement.
Risks and
opportunities

ISO 31000 – Guidelines for risk management.

IEC 31010 – Risk assessment techniques.
Addressing
risks

Avoidance
Mitigation
Sharing
Taking
Acceptance
Audit suggestions
(Actions to address risks and
opportunities)

No specific requirement for documented

information (e.g., risk register, risk
assessment).
Interviews.
“Managing risks will not ensure success, but
a lack of risk management leads usually to
failure:”
Quality
objectives

The organization shall establish quality

objectives at relevant functions, levels
and processes needed for the QMS.
Quality
objectives

Consistent with the quality policy.

Measurable.
Take into account applicable requirements.
Be relevant to the conformity of products and services
and to enhancement of customer satisfaction.
Monitored.
Communicated.
Updated, as necessary.
Documented.
Plans for the
achievement of objectives

Specific actions.
Responsibilities.
Resources.
Timeframes.
How the results will be evaluated.
Audit suggestions
(Quality objectives and planning to
achieve them)

Review of documented information.

Interviews with the management and with
those involved in the achievement of
objectives.
Confirm that the achievement of
objectives is monitored.
Planning of changes
Changes shall be carried out in a planned manner.

Consider:
- purpose and consequences;
- responsibilities and authorities;
- resources;
- the integrity of the QMS.
Audit suggestions
(Planning of changes)

An existing change management process?

Conduct interviews and review documents
(e.g., plans, risk assessments, minutes).
Resources

The organization shall determine and

provide the resources for the
establishment, implementation,
maintenance and continual
improvement of the QMS.
People

The organization shall determine and

provide the persons necessary for the
effective implementation of the QMS
and for the operation and control of
processes.
Infrastructure

The organization shall determine,

provide and maintain the
infrastructure necessary for the
operation of the processes and to
achieve conformity of products and
services.
(buildings, utilities, equipment, information and
communication technology)
Audit suggestions
(Infrastructure)

Is the necessary infrastructure available?

(observation)
How is the infrastructure maintained?
Planning of maintenance (interviews and
review of records).
Review of records generated from the
maintenance activities + competence of
those involved.
Environment for the
operation of processes

The organization shall determine,

provide and maintain the environment
necessary for the operation of its
processes and to achieve conformity of
products and services.
(a combination of human and physical factors)
Audit suggestions
(Environment for the operation of
processes)

There may be regulatory requirements on the

environment for the operation of processes.
Observation + Interviews + Review of
documented information.
Monitoring and
measuring resources

The organization shall determine and

provide the (monitoring and
measuring) resources needed to
ensure valid and reliable results when
verifying the conformity of products
and services to requirements.
Monitoring and measuring
resources

Monitoring Measuring

To determine the status of a Aimed to determine a value.

system, process, product,
service or activity.
Monitoring and
measuring resources

Suitable for the monitoring and

measuring activities.
Maintained to ensure their fitness for
purpose.
Measurement
traceability

Whenever traceability is a requirement, equipment shall be:

- calibrated or verified, or both;

- identified to determine its calibration status;
- safeguarded.
Monitoring and
measuring resources

Whenever it is determined that unfit

equipment has been used for
measuring, the organization shall
determine if the validity of previous
measurements has been negatively
affected and take the necessary
actions.
Audit suggestions
(Monitoring and measuring
resources)

What needs to be monitored and measured

has been determined?
What are necessary measuring and
monitoring resources?
Calibration/ verification is required for the
monitoring and measuring equipment?
Review of documented information
(calibration schedule, verification records,
etc.).
Observation (storage conditions for
measuring and monitoring equipment).
Organizational
knowledge

The organization shall determine,

maintain and make available the
knowledge necessary for the operation of
processes and to achieve conformity of
products and services.
Sources of knowledge can be external (e.g., standards,
academia, online resources) or internal (e.g.,
intellectual property, lessons learned, experience).
Audit suggestions
(Organizational knowledge)

No requirements for documented

information on organizational knowledge.
What are the sources of organizational
knowledge?
The risk of losing undocumented knowledge
has been considered?
Competence

The organization shall determine the

necessary competence for the persons
whose work affects the effectiveness
and performance of the QMS; ensure
that these persons are competent; act
to acquire the necessary competence
and evaluate the effectiveness of the
actions.
Competence: the ability to apply knowledge and
skills to achieve the intended results.
Audit suggestions
(Competence)

Documented information (as evidence of

competence) must be available.
How competence requirements are defined.
Activities taken to raise the competence of
personnel (e.g., training, mentoring)
Awareness

The organization shall ensure the

awareness of persons doing work under its
control about:
- the quality policy;
- the relevant quality objectives;
- their contribution to the QMS;
- the benefits of improved performance and
- the implications of not conforming to requirements.
Awareness
Awareness is usually achieved
through communication, in different
forms.
Audit suggestions
(Awareness)

Interviews.
Review of documented information (e.g.,
communications from the managers,
minutes of meetings).
Observation.
Communication

The organization shall determine the

internal and external communications
relevant to the QMS.
On what.
When.
With whom.
How.
Who.
Audit suggestions
(Communication)

Review of documented information (e.g.,

emails, letters, etc.).
Interviews to evaluate the effectiveness of
communication.
Documented
information

The QMS documentation shall include:

- the documented information required
by ISO 9001 and
- the documented information
determined by the organization as
necessary (for the effectiveness of the
QMS).
Creating and updating
QMS documents

Identification and description.

Format.
Review and approval.
Control of
documented information

Documents must be available in a suitable

format where and when needed.
Documents must be protected (from loss of
confidentiality or integrity, improper use).

Distribution.
Access.
Retrieval and use.
Storage and preservation.
Version control.
Retention and disposition.
Audit suggestions
(Documented information)

The process for creating and updating QMS

documents.
Review, approval and version control.
Responsibilities and process for the withdrawal
of obsolete documents.
Retention of obsolete documents.
Control of access to the QMS documents.
Operational
planning and control

The organization shall plan, implement

and control the processes needed to
meet the requirements for the
provision of products and services.
Operational
planning and control

Determine the requirements for products and

services.
Establish criteria for the processes and for the
acceptance of products and services.
Determine the necessary resources.
Implement control of the processes.
Maintain and retain documented information.
Control planned changes and review the
consequences of unintended changes.
Control outsourced processes.
Customer
communication

The organization should have a clear

communication with its customers
when determining the requirements for
products and services to be delivered.
Customer
communication

Provide information on products and services Inform on how customer property is managed
Make the customers understand what is being The customer should be aware of how the
offered. organization will handle and control his property.

Handle enquiries, contracts or orders Establish requirements for contingency actions

Make it clear how customers can ask questions or Communicate about possible contingency actions,
place an order. Inform on how changes will be when relevant.
communicated.

Obtain and manage customer feedback

This includes customer complaints, as well.
Audit suggestions
(Customer communication)

Are there responsibilities assigned for

customer communication?
Review the information about products and
services made available to (potential)
customers.
Is it easy for a customer to contact the
organization?
Review the process for managing customer
complaints and other customer
communications.
The organization informs about how it
intends to manage customer property?
Determining the requirements
for products and services

The organization shall ensure that the

requirements for products and
services are defined, and that it can
meet the claims for the products and
services it offers.
Audit suggestions
(Determining the requirements
for products and services)

Interviews, review of documents and

observation to confirm that the organization
can meet its claims about products and
services.
Review of the requirements
for products and services

The organization shall conduct a

review before committing to supply
products and services to a customer.
(to avoid the situation where the
commitments made cannot be met).
Review of requirements for
products and services

Specified customer Requirements not

requirements stated, but necessary
Including those about the Implied requirements (not
delivery or post-delivery explicitly stated by the
activities. customers).

Requirements of the Statutory and Requirements that differ

organization regulatory requirements (from previously stated)
Internal requirements of the Applicable to the products Differences between
organization. and services. previously defined
requirements.
Review of the requirements
for products and services

When the customer does not provide

a documented statement of
requirements, the requirements must
be confirmed by the organization
before acceptance.
Changes to requirements for
products and services (8.2.4)

In case the requirements for products

and services change, the relevant
documented information shall be
amended, and the relevant persons
shall be made aware of the changes.
Audit suggestions
(Review of requirements for products
and services)

The system (and responsibilities) for

reviewing product and service requirements
(before signing contracts or accepting
orders).
Review of documented information.
How the organization manages changes to
the requirements for products and services.
Design and development
of products and services

The organization shall establish,

implement and maintain a design and
development process that is
appropriate to ensure the subsequent
provision of products and services.

Applicable or not?
Design and
development planning

To determine the necessary design

and development activities and tasks.
Design and development
planning

Nature, duration and Stages of design and

complexity. development
(including reviews).

Verification and Responsibilities and Resource needs.

validation. authorities.
Design and development
planning

Interfaces between Potential involvement

the persons involved. of customers/ users.

Requirements for the Control expected by Necessary documented

provision of products/ customers and other information.
services. parties.
Design and
development inputs

The organization shall determine the

requirements essential for the specific
types of products and services to be
designed and developed.
Design and
development inputs
(complete, unambiguous, adequate, documented)

Functional and Information from previous

performance requirements. design and development activities.

Statutory and regulatory Standards or

requirements. codes of practice.

Potential
consequences of failure.
Design and
development controls

The organization shall apply controls

to the design and development
process.
Design and
development controls

Define the results to be achieved.

Review (focused on the design and development process).
Verification (focused on the outputs of the design and
development).

Validation (focused on the product or service).

Act on the problems identified.
Retain documented information.
Design and
development outputs

The outputs of design and development shall:

- meet the input requirements;
- be adequate for the subsequent processes;
- include or reference monitoring and measuring
requirements and acceptance criteria;
- specify the characteristics of the products and
services.
Design and
development changes

The organization shall identify, review

and control changes made during, or
subsequent to the design and
development of products and services.
Design and
development changes

Prevent the adverse impacts of

changes on conformity.

Retain documented information on:

- the details of the changes;
- the results of reviews;
- the authorization of changes and
- the actions taken.
Audit suggestions
(Design and development of
products and services)

Review documented information (design and

development inputs, outputs, controls,
changes).
Interviews (planning, review, verification,
validation).
Responsibilities and authorities.
Any conflicts? (persons reviewing their own
work).
Communication of changes.
Control of externally provided
processes, products and services

The organization shall ensure that

externally provided processes,
products and services conform to
requirements.

Controls must be applied.

Evaluation, selection and
monitoring of external
providers

The organization shall determine and

apply criteria for the evaluation,
selection, monitoring and re-evaluation
of external providers.
Type and
extent of control

The processes, products and services

obtained from external providers shall
not adversely affect the organization’s
ability to deliver conforming products
and services to its customers.

Risk-based thinking.
Type and
extent of control

Define controls for the external

providers and for the processes,
products and services they provide.
Information for
external providers

The organization shall ensure the

adequacy of requirements before it
communicates them to external
providers.
Information for
external providers

The organization shall communicate

its requirements to external providers.
Audit suggestions
(Control of externally provided
processes, products and services)

Responsibilities and authorities should be

established.
Review documented information on the
evaluation, selection, monitoring and re-
evaluation of external providers.
The application of controls (interviews,
review of documents and observation),
including their effectiveness.
Review the information communicated to
external providers (e.g., orders, contracts,
specifications).
Control of production
and service provision

The organization shall implement

production and service provision in
controlled conditions.
Controlled
conditions

Documented information available.

Monitoring and measuring resources available.
Monitoring and measuring activities.
Suitable infrastructure and environment for the
operation of processes.
Competent persons.
Validation and periodic revalidation.
Actions to prevent human error.
Release, delivery and post-delivery.
Audit suggestions
(Control of production and service
provision)

Available work instructions/ procedures?

Infrastructure, environment for the operation
of processes, monitoring and measuring
resources available? (observation, interview,
review of documents).
Processes that require validation?
Knowledge of the processes.
Identification and
traceability

The organization shall use suitable

means to identify outputs, when it is
necessary to ensure the conformity of
products and services.
Identification and
traceability

When traceability is a requirement, the

organization shall control the unique
identification of outputs, and retain
the necessary documented
information to ensure traceability.
Audit suggestions
(Identification and traceability)

How is the identification of outputs ensured?

Statutory, regulatory or contractual
requirements for identification and
traceability?
The methods used by the organization for
identification and traceability are effective?
Consider an exercise.
Property belonging to
customers or external providers

The organization shall exercise care

with property belonging to customers
or external providers, while it is under
its control.
Audit suggestions
(Property belonging to customers
and external providers)

Does the organization use (or have under its

control) goods belonging to its customers or
external providers?
How are those goods identified and
protected? (observation)
Responsibilities for protecting customer
property are assigned? (interviews)
Review of documented information.
Preservation

The organization shall preserve the

outputs during production and service
provision, to the extent necessary to
ensure conformity to requirements.
(identification, handling, packaging, storage,
contamination control, transmission/ transportation
or protection)
Audit suggestions
(Preservation)

Observation.
Interviews and review of documents (e.g.,
temperature monitoring records).
Calibration/ verification of the monitoring
and measuring equipment.
Communication of preservation
requirements to customers (if applicable).
Post-delivery
activities

The organization shall meet the

requirements for post-delivery
activities associated with the products
and services.
(delivery, installation, maintenance, warranties,
user training, recycling, etc.)
Audit suggestions
(Post-delivery activities)

Interviews and review of documented

information (warranty records, installation or
maintenance records, etc.).
Outsourcing of post-delivery activities?
Control of changes

The organization shall review and

control changes for production and
service provision, to the extent
necessary to ensure continuing
conformity with requirements.
Audit suggestions
(Control of changes)

The organization has established a change

management process?
Interviews and review of documented
information.
Release of
products and services

The release of products and services

to customers shall not proceed until all
planned arrangements are
successfully completed, unless
otherwise approved by an authority
and, as applicable, by the customer.
Audit suggestions
(Release of products and services)

Review documented information (e.g., test

reports, inspection records, declaration of
performance, etc.).
Responsibilities for authorizing the release of
products and services.
Control of
nonconforming outputs

Identify and control nonconforming

outputs, to prevent their unintended
use or delivery.
Options to deal with
nonconforming outputs

Correction.
Segregation, containment, return or
suspension of provision.
Inform the customer.
Authorization for acceptance under
concession.
Audit suggestions
(Control of nonconforming outputs)

Review of documented information.

Observation (of the controls intended to
prevent the use or delivery of
nonconforming outputs).
Data analysis.
Monitoring, measurement,
analysis and evaluation

To determine if the intended results are

being achieved.

The organization shall determine:

- what needs to be monitored and measured;
- methods;
- when to monitor and measure;
- when to analyze and evaluate the results of monitoring
and measuring.
Audit suggestions
(Monitoring, measurement, analysis
and evaluation)

Interviews and the review of documented

information (e.g., key performance
indicators (KPIs)).
Customer
satisfaction

The organization shall monitor

customers’ perception of the degree to
which their needs and expectations
have been fulfilled.
Audit suggestions
(Customer satisfaction)

How does the organization collect data on

customer satisfaction?
Is the data collected representative?
The organization analyzes the data on
customer satisfaction?
Analysis and
evaluation

The organization shall analyze and

evaluate appropriate data and
information arising from monitoring
and measurement.
Audit suggestions
(Analysis and evaluation)

Review of documented information.

Methods to analyze data (statistical
techniques).
The results of analysis and evaluation are
used to support decisions?
Internal audit

The organization shall conduct internal

audits of the QMS at planned intervals.

Establish, implement and maintain an

audit programme.
Internal audit

Auditor objectivity.
Results reported to the relevant
management.
Nonconformities addressed.
Documented information retained.

ISO 19011 – Guidelines for auditing

management systems.
Audit suggestions
(Internal audit)

Confirm that internal audits of the QMS are

planned and performed.
Competence of the auditors.
The management of nonconformities.
Review of documented information (audit
programme(s), audit plans, reports,
checklists).
The application of risk-based thinking.
Management
review

Top management shall review the QMS

at planned intervals to ensure that it
continues to be suitable, adequate,
effective and aligned with the
organization’s strategic direction.
Management review
inputs

✓ status of actions from previous reviews;

✓ changes in external and internal issues;
✓ information on the performance and effectiveness of the QMS
(customer satisfaction and feedback from interested parties; quality
objectives; process performance and conformity of the products and
services; nonconformities and corrective actions; monitoring and
measuring results; audit results; performance of external providers);
✓ adequacy of resources;
✓ effectiveness of the actions to address risks and opportunities;
✓ opportunities for improvement.
Management review
outputs

✓ opportunities for improvement;

✓ changes needed to the QMS;
✓ resource needs.
Audit suggestions
(Management review)

Review of documented information.

Confirm the involvement of the top
management.
Improvement

The organization shall determine and

select opportunities for improvement
and implement any necessary actions
to meet customer requirements and to
enhance customer satisfaction.
Audit suggestions
(Improvement)

Evidence of identification of improvement

opportunities and implementation of actions
to achieve improvement (interviews, review
of documents, observation).
Nonconformity and
corrective action

When a nonconformity is identified the

organization shall react, deal with the
consequences, investigate, identify the
cause(s) and implement corrective
action(s).
Managing
nonconformities

Correction – to eliminate a
nonconformity.
Corrective action – to eliminate the
cause of a nonconformity and prevent
recurrence.
Audit suggestions
(Nonconformity and corrective action)

Review of documented information (e.g.,

nonconformity reports).
Interviews.
Confirm the implementation and
effectiveness of corrective actions.
Continual
improvement

The organization shall continually

improve the suitability, adequacy and
effectiveness of the quality
management system.
Management
system auditing

Audit – systematic, independent and

documented process for obtaining
objective evidence and evaluating it
objectively to determine the extent to
which the audit criteria are fulfilled.

ISO 19011 – Guidelines for auditing

management systems.
Principles of auditing

Integrity Fair presentation

Auditors should perform Auditors are obliged to

their work ethically, with report truthfully and
honesty and responsibility. accurately.

Due professional Confidentiality

care
Auditors should perform Auditors should not disclose
their work with or use for personal gain the
professionalism. information obtained.
Principles of auditing

Independence Evidence-based
approach
Auditors should be Auditors should take
independent from the decisions based on verifiable
activities audited. objective evidence.

Risk-based approach

Audits should be planned and

conducted with a focus on the matters
important to the audited organization.
Different types
of audits

1st party audit 2nd party audit 3rd party audit

Internal audit e.g., supplier audit e.g., certification audit
Audit objectives,
scope and criteria

Audit objectives – what should be

achieved by the audit.
Audit scope – extent and boundaries
of the audit.
Audit criteria – set of requirements
used as reference, against which
objective evidence is compared.
The audit team

One or more persons conducting an

audit.
One auditor is appointed as the audit
team leader.
Requirements for
the audit team

Competence - the team shall have the

required competence for the audit.
Impartiality – auditors shall be
objective in their judgement.
Ability of the auditors to understand
the organization and to work together
effectively.
The audit plan
Information to be included in the audit plan:
- audit objectives, scope and criteria;
- audit type;
- audit team composition and representatives of the auditee;
- description of the audit activities;
- classification of findings and how they will be managed
(nonconformities and possibly improvement opportunities);
- language, resources and arrangements;
- information on the audit report;
- confidentiality provisions;
- schedule of the audit activities.
Conducting the audit

The lead auditor:

- coordinates the audit activities and
assigns responsibilities to the members;
- keeps the auditee informed on the
progress of the audit;
- agrees with the auditee on how different
situations are to be managed.
Conducting the audit

Minimize the disturbance to the organization by:

- complying with the rules and obtaining

permissions for access;
- using the required personal protective equipment;
- informing the audited persons about the audit
and its objectives;
- respecting the program of the organization.
Nonconformities

Nonconformity – non-fulfilment of a
requirement (supported by evidence).
Major vs. minor nonconformities
Opportunities for improvement
The audit report

Elaborated by the lead auditor.

Provides a complete, accurate, concise

and clear record of the audit.
The audit report

Should include:
- identification of the audited organization;
- audit type, objectives, scope and criteria;
- audit team and representatives of the audited organization;
- summary of the audit process and reference to the plan;
- audit findings;
- required changes to the audit programme (if the case);
- statement on the achievement of the audit objectives;
The audit report

Should include:
- any deviations from the audit plan;
- any areas not audited;
- any diverging opinions between the auditors and
the organization;
- audit conclusions;
- follow-up activities agreed (if any);
- confidentiality;
- distribution of the audit report.
Thank you !