Post on 06-Feb-2022
Empowering Assurance
Systems Pvt Ltd
Course Material - Internal
auditor Training ISO 15189: 2012
2 | P a g e
1 CONTENTS
Preface ……………………………………………………………………………………………....3
Audit Terminologies ………………………………………………………………………………...4
Standard Explanation …………………………………………………………………………… ..5
Introduction to Management System audits ……………………………………….………… 10
Performing an audit ……………………………………………………………….……………. 14
3 | P a g e
Preface:
What will you Learn:
Understand the difference between a policy, a process and a procedure
Become familiar with the fundamentals of a quality system under 15189 Understand the
fundamentals necessary to prepare for ISO standard 15189:2012
Develop a general familiarity with ISO 15189
This booklet provides a general overview of ISO 15189
Those with specific interests should obtain a copy of the actual ISO 15189 standard.
The standard can be obtained from national standards bodies from the ISO organization, or from
the Clinical and Laboratory Standards Institute.
Audit Terminologies:
Accreditation
Procedure by which an authoritative body gives formal recognition that an organization is
competent to carry out specific tasks
Alert interval
Critical interval
Interval of examination results for an alert (critical) test that indicates an immediate risk to the
patient of injury or death
Biological reference interval
Reference interval
Specified interval of the distribution of values taken from a biological reference population
Competence
Demonstrated ability to apply knowledge and skills
4 | P a g e
Audit
systematic, independent and documented process for obtaining audit evidence and evaluating
itobjectively to determine the extent to which audit criteria are fulfilled
Corrective Action
Action To Eliminate The Cause Of A Detected Nonconformity Or Other Undesirable Situation
Department
Section Of A Laboratory In Which A Single Pathology Discipline Pursues Its Activities
Effectiveness
Extent To Which Planned Activities Are Realised And Planned Results Achieved
Efficiency
Relationship Between The Result Achieved And The Resources Used
Examination
Set Of Operations Having The Object Of Determining The Value Or Characteristics Of A
Property
Laboratory Director
Competent Person(S) With Responsibility For, And Authority Over, A Laboratory
Laboratory Management
Person(S) Who Manage The Activities Of The Laboratory Headed By The Laboratory Director
Materials
Consumables, Calibrators, Reagents, Calibration Material Used In The Performance Of An
Examination
Multidisciplinary Laboratory
Laboratory In Which Two Or More Pathology Disciplines Work In An Integrated Manner
Nonconformity
Nonfulfilment Of A Requirement
5 | P a g e
Organisation
Group Of People And Facilities With An Arrangement Of Responsibilities, Authorities And
Relationships
pre-examination processes
Preanalytical phase
Processes that start, in chronological order, from the clinician’s request and include the
examination request,
Preparation and identification of the patient, collection of the primary sample(s), and
transportation to and
Within the laboratory, and end when the analytical examination begins
Primary sample
Specimen
Discrete portion of a body fluid, breath, hair or tissue taken for examination, study or analysis of
one or more
Quantities or properties assumed to apply for the whole
Process
Set of interrelated or interacting activities which transform inputs into outputs
Quality
Degree to which a set of inherent characteristics fulfils requirements
Quality indicator
Measure of the degree to which a set of inherent characteristics fulfils requirements
Quality management system
Management system to direct and control an organization with regard to quality
Quality policy
Overall intentions and direction of a laboratory related to quality as formally expressed by
laboratory management
Quality objective
Something sought, or aimed for, related to quality
6 | P a g e
Referral laboratory
External laboratory to which a sample is submitted for examination
Sample
One or more parts taken from a primary sample
Turnaround time
Elapsed time between two specified points through pre-examination, examination and post-
examination processes
Validation
Confirmation, through the provision of objective evidence, that the requirements for a specific
intended use or application have been fulfilled
Verification
Confirmation, through provision of objective evidence, that specified requirements have been
fulfilled
Do’s and Don’ts
Do Handle Glassware Safely
Eliminate potentially dangerous chemical reactions by thoroughly washing beakers, test tubes,
flasks and other glassware before and after use. This also helps ensure that results are not tainted
by chemical residue from previous experiments. Glassware can break, leaving behind potentially
harmful shards. Report any broken glass immediately and dispose of it properly.
Do Keep Notes
Write proper laboratory procedures, observations and instructions in a laboratory notebook, with
permanent binding and large pages. Lab notebooks help keep track of data, maintain records of
experiments and facilitate thinking.
7 | P a g e
Do Wear Gloves
Protect your hands with the proper gloves for each job. Handle hot and cold items with insulated
gloves, wear latex gloves during dissections, and use chemical-resistant gloves when working
with caustic chemicals.
Do Wear Closed-Toed Shoes
Protect your feet from spills, hot items and heavy objects by wearing shoes with closed toes.
Sandals and other open-toed footwear leave your feet vulnerable to burns and broken bones.
Do Practice Electrical Safety
Some experiments require electrical equipment. Before plugging in anything, make sure the plug
includes a ground prong. Whenever plugging or unplugging equipment, hold the plug by its
insulating cover. Never unplug anything by pulling or tugging the cord. Reduce the risk of shock
or shorts by keeping electrical equipment away from water and other liquids.
Don't Eat or Drink in the Lab
Eat before entering or after leaving the lab. Food, gum, mints, cough drops and beverages are
messy. They may get equipment dirty, contaminate samples, absorb chemicals or cause
accidents.
Don't Use Excessive Force
Some experiments require connecting glassware with glass tubes and rubber grommets or
plugging glassware with stoppers. Using excessive force can potentially chip or break the glass.
Don't Leave A Mess
Clean up spills immediately. Cover the spill with paper towels and then wipe it up from the
outside in, pushing the mess toward the center of the table, rather than the floor. Dispose of the
paper towels in a proper container. Clean up all laboratory equipment, materials, supplies and
work surfaces before leaving the lab. Make sure Bunsen burners and other sources of heat or gas
are properly turned off.
Standard Explanation:
Quality Policy
The quality policy is a statement of purpose for the laboratory.
It should describe, as briefly as possible, what the laboratory is about, why it exists, and what the
laboratory’s overall goals or objectives are. The wording should be general in scope. One
approach to writing a quality policy is to describe commitments the laboratory is willing to make
and then how (in general terms) the laboratory will meet those commitments Ideally, the quality
policy will be no more than one paragraph
in length.
8 | P a g e
An Example Quality Policy
This Laboratory is committed to producing reliable patient test results in a manner necessary to
insure appropriate and timely patient care. The laboratory will strive to produce reliable patient
test results by combining processes that promote efficiency with technology appropriate to the
laboratory mission and operated by staff that is both trained
and competent to perform the work.
Quality Manager
The Quality Manager is responsible for the continued integrity of the quality system. In this
capacity the Quality Manager must:
•• Ensure the components of the quality management system
(QMS) are current and relevant
•• Ensure the QMS is audited at regular intervals
•• Keep laboratory management informed of all activities and findings of the QMS
•• Ensure all staff are committed to, and actively involved in, the QMS
•• Facilitate introduction of new quality system procedures or Modifications to existing
procedures
•• Act as liaison between the laboratory and other interfacing Departments of the parent
organization, as well as internally – between various departments within the laboratory itself
Organization & Management
The laboratory must be legally identifiable and free of any financial or commercial conflicts of
interest. Laboratory management is responsible for the design, implementation and maintenance
of the quality management system. This
is to be accomplished through policies and procedures, and by granting authority and
responsibility to individuals to develop and maintain the management system. Laboratory
management must provide adequate financial, educational and human resources, so that the
laboratory can meet its stated objectives and mission. Management must also appoint a Quality
Manager and deputies as required.
Quality Management System
Policies, processes and procedures shall be documented and communicated to all personnel. The
laboratory shall have a quality policy statement documented in the Quality Manual. The
laboratory shall have a Quality Manual.
9 | P a g e
Document Control
ISO 9000:2005 defines a document as “information (meaningful data) and its supporting
medium.” As a general rule, a document can be either a paper copy or electronic. It is something
that is not written on, except perhaps for an approval signature and date of approval, or stamped
with a seal to show that it is the master document. Procedures, product inserts, material safety
data sheets, research papers or journal articles that might support a testing protocol are all
examples of documents. ISO 15189 requires that all documents be controlled. They must be
approved for use by appropriate laboratory authority, usually the Laboratory Director. They must
be reviewed at regular intervals to ensure continued relevance. This can be easily accomplished
by having a master list, or
inventory of documents, that shows which documents are currently in use, their revision number
and the date of revision. The master list also identifies obsolete documents, which must be
removed from all points of use. Obsolete documents can be archived, but precautions must be
taken to avoid inadvertent use. The laboratory must also have a procedure for making
amendments and corrections to documents. All amended documents must be reviewed and
approved for use by the appropriate laboratory authority. Maintenance of documents is a core
requirement for achieving accreditation.
4.4: Service Agreements
At regular intervals, the laboratory must review any agreement for services it provides to its
clients (including but not limited to clinicians, health care bodies, health insurance companies,
pharmaceutical companies, and other departments such as pharmacy or nursing within the
hospital structure) to ensure that the laboratory can meet the requirements such as
methodologies, turn-around times, availability of expert opinion, etc. Records of these reviews
shall be kept and maintained by the laboratory, and should include deviations. Service
Agreements do not always need to be formal documents between the laboratory and some
outside resource.
4.5: Examination by Referral Laboratories
Laboratories frequently select referral laboratories (laboratories that provide analytical support to
the primary
laboratory) based solely on cost. ISO 15189 specifically requires laboratories to have a procedure
for evaluating
and selecting referral laboratories, as well as consultants who provide opinions for
histopathology and/or cytology.
Laboratories are also required to monitor the quality of referral laboratories. Selecting only
laboratories that operate
under an accredited quality system can be an initial means to accomplish this objective.
Alternately, the laboratory may submit previously determined specimens as unknown samples to
the referral laboratory for analysis or interpretation, or require referral laboratories to share their
performance scores from relevant EQA (proficiency testing) schemes. The laboratory must
10 | P a g e
maintain a register of all referral laboratories it uses, and a register of all tests referred and results
reported.
4.6: External Services and Supplies
The laboratory is required to have policy and procedures in place that describe what must be
done before selecting an outside vendor. There should be verification that purchased services
meet laboratory requirements/needs and purchased supplies meet manufacturer specifications,
particularly for equipment, supplies, and consumables used to produce a laboratory test result.
The laboratory can also begin by purchasing supplies, especially those critical to producing a test
result, from vendors that operate under a certified or accredited quality system. Most
manufacturers of laboratory equipment, reagents and consumables already have numerous
certifications from various organizations and government agencies
4.7: Advisory Services
The laboratory should meet regularly with clinical staff regarding services and clinical
interpretation of results.
4.8: Resolution of Complaints
Complaints by laboratory clients about laboratory staff or services represent a primary
opportunity to identify
Weaknesses in the quality management system and present an opportunity for improvement. The
laboratory must keep a record of the complaint. The record should include the nature of the
complaint, the date of occurrence, individuals involved, any investigations undertaken by the
laboratory and the resolution.
4.9: Identification and Control of Nonconformities
When an occurrence conflicts with a stated policy, process or procedure, the occurrence is
classified as a nonconformance (event), meaning that whatever occurred did not conform to the
quality management system. Nonconformance events must be recorded, root cause investigated
and documented, corrective action taken and then documented. Testing may be stopped and
results withheld until the nonconformance is resolved, depending on the nature and criticality of
the nonconformance. Results reported during a situation or period of nonconformance should be
recalled when the nonconformance is of a critical nature. Nonconformance occurrences would
include testing a plasma sample when a serum sample is required for the test; using expired
reagents; modifying the test procedure without approval, as in increasing incubation temperature
to shorten incubation time; using tap water to reconstitute reagents when the procedure requires
use of distilled water; and improperly preserving a sample for later testing.
4.10: Corrective Action
11 | P a g e
The laboratory must have a procedure that describes and documents the reaction by the
laboratory to a nonconformance occurrence once a root cause has been identified. The laboratory
shall also monitor and document
the effectiveness of the corrective action over time.
4.11: Preventive Action
The laboratory shall have appropriate and effective action plans to reduce the likelihood of
nonconformance situations. Preventive action plans might include regular review of data
generated from routine testing of quality control materials
4.12: Continual Improvement
Laboratory management must review all operational procedures at regular intervals. The
frequency should be
no less than annually. Management shall implement quality indicators to monitor the
laboratory’s overall contribution to patient care. The quality system should be reviewed for
redundancies, such as policies or procedures that do little
to enhance quality; and for inherent weaknesses, such as areas that have frequent
nonconformance events or client
complaints and therefore need closer scrutiny or tighter.
4.13: Control of Records
Here a record is defined as “evidence of results achieved or activities performed.” As a general
rule, a record is something that is written upon. It can be electronic or on paper. Records include
quality control records, instrument printouts, patient test reports, patient test requisitions, records
of specimen referrals, nonconformity
records, and complaint records. Records also include any log or list that is constantly modified
by the laboratory, such as specimen acquisition records, calibration and maintenance logs, out-
patient registers, and contact logs with outside clients. Records must be kept and maintained by
the laboratory for specified periods of time as defined by the
Laboratory, government agencies, or accrediting bodies.
4.14: Evaluation and Audits
The quality system must undergo internal and external audits. The purpose of both internal and
external audits is to verify the laboratory is in compliance with the quality management system.
An external audit is usually performed by some agency or organization approved for such
purposes. Passing the audit usually leads to accreditation of the laboratory. ISO 15189
recommends annual internal audits. Internal audits are usually performed by trained and
qualified staff. It is important to recruit and train internal auditors from all sections of the
laboratory operation. It is possible that a clerk, particularly one who is inquisitive, may make a
very insightful and thorough auditor. Internal audit findings are documented and the laboratory
must develop a plan to correct and/or respond to the findings. A reminder: documenting actions
taken creates a quality record.
4.15: Management Review
12 | P a g e
Management must review the quality system at regular intervals. Normally this would be done
annually, but shorter intervals are encouraged with a new quality system. The purpose of the
review is for management to assess its level of commitment to the quality management system
during the past 12 months, to evaluate the effectiveness of the system and to recommend changes
as necessary. The review shall include an overview of all nonconformance events during the
year, the actions taken, preventive measures put in place, feedback from clients, results of the
internal quality control program, and performance in EQA or proficiency testing. Findings and
actions taken by laboratory management as a result of the annual review are documented and
become a quality record.
5.1: Personnel
Laboratory management must have and maintain job descriptions, including qualifications to
perform specific jobs
functions. Certified or licensed personnel should be utilized when required. Personnel making
judgments regarding
test results must possess appropriate knowledge and experience. Management must provide
adequate training, continuing education or access to training for technical staff, and assess staff
competency at regular intervals.
5.2: Accommodation and Environmental Conditions
The laboratory shall have adequate space and a safe environment in which to perform testing. It
must provide
Adequate lighting, ventilation, water, waste and refuse disposal. Attention should be given to
dust, electromagnetic
interference, ambient temperature and humidity levels, electrical supply, as well as sound and
vibration levels.
Records of environmental conditions, particularly temperature and humidity, should be kept and
maintained where relevant or required. Work areas shall be clean and well maintained.
Precautions must be taken to prevent cross contamination, particularly in laboratories performing
mycobacteriology or nucleotide amplification techniques. The laboratory must also be designed
to accommodate patient disabilities and privacy.
5.3:Laboratory Equipment
Laboratory equipment as defined in ISO 15189 are instruments, reference materials,
consumables, reagents, analytical systems, and laboratory information systems. The laboratory
shall have adequate equipment to perform testing to meet its stated laboratory mission. It must
verify the equipment meets performance requirements specified
by the laboratory or claimed by the manufacturer. The laboratory shall have policies and
procedures that specify
regular monitoring of instrument calibration and preventive maintenance. Calibration and
maintenance records must be maintained, including reports/certificates of all calibrations and/or
verifications which should include dates, times, acceptance criteria, results, adjustments, and due
date of the next calibration and/or verification. When equipment requires use of cofactors to
modify raw data or transform a patient test result, the laboratory must have procedures in place
to ensure that old cofactors are updated.
13 | P a g e
5.4: Pre-Examination Processes
Requests for testing must provide:
•• Some form of patient identification
•• Name of the ordering physician or other person authorized to order testing
•• Clinician’s address
•• Type of primary sample collected
•• Anatomic site where appropriate
•• Test requested
•• Patient gender
•• Date of birth
•• Pertinent clinical information as appropriate for purposes of test interpretation
•• Date and time of sample collection and receipt in the laboratory
•• Preferred sample type (venous, arterial, capillary, urine, spinal fluid)
•• Type of anticoagulant
•• Sample volume considered acceptable
The laboratory shall maintain a record of all samples received. When a sample is transported to
or from the laboratory, efforts must be made to monitor the time lapse between sample collection
and receipt by the laboratory. In addition, the temperature during transport should be mentioned,
since some samples must be kept at room temperature, others at 2-8ºC or frozen.
The laboratory shall also have procedures on how to accept verbal requests, as well as approved
procedures for proper specimen collection that address specific collection requirements.
Procedures shall also describe requirements for patient preparation and storage of specimens
once collected. The laboratory shall reject primary specimens not meeting identification or
specimen requirements.
5.5: Examination Processes
The process of analysis shall be specified by validated written or electronic procedures
maintained in and by the laboratory. Procedures may be authored by the laboratory or may be
previously published materials including, but not limited to, product inserts, instrument manuals,
textbooks, journals, or international guidelines. Test procedures developed by the laboratory (in-
house procedures) must be validated and fully documented before being put into use. All
procedures must be in a language commonly understood by laboratory staff.
5.6: Ensuring Quality of Examination Results
The laboratory shall have an internal quality control (QC) program to verify the quality of
produced patient test results.
While the character of the internal QC program is not specified in the ISO standard, in an effort
to allow for flexibility, such a program should include regular testing of QC materials at a
frequency sufficient to detect errors in the analytical process when error occurs. Laboratories
should also consider the use of independent control materials; either instead of, or in addition to,
any control materials supplied by the reagent or instrument manufacturers. ISO 15189 further
requires that QC frequency be determined by taking into account both the performance of the test
and potential risk of harm to a patient from an incorrect result.
14 | P a g e
5.7: Post Examination Processes
Authorized personnel shall routinely examine results beforereporting. Once a sample is used, it
must be maintained in the laboratory for a specified period of time at a temperature that ensures
stability of the sample, in the event that the sample is needed for retesting. Used samples shall be
disposed of in a safe and environmentally sensitive manner.
5.8: Reporting of Results
Test results must be reported on forms approved by laboratory management under the quality
system and must
clearly identify:
•• Patient
•• Date and time of specimen collection
•• Test performed
•• Reference or normal range
•• The laboratory interpretation where appropriate
•• Name or initial of person performing the test
•• Authorized signature of person reviewing the report and releasing the results
5.9 Release of Results
The results must be legible, without transcription mistakes and reported only to persons
authorized to receive them,
such as the ordering physician or nursing staff in a hospital environment. The report must also
indicate whether the sample received was unacceptable for testing. Reports of test results are
quality records and must be kept for a
period of time specified by the laboratory or a government requirement. The laboratory must
have procedures for handling critical values, automated reporting of results and revised reports.
5.10 Laboratory Information Management
The laboratory must have a documented procedure to protect the confidentiality of patient
information. Authority
and responsibility of the information system must be clearly identified in addition to responsible
use of the system by laboratory staff. Since Laboratory Information Systems are intended to
process / handle laboratory and patient data,
including transfer of data, the lab must verify the data is accurately reproduced.
Computer software must be validated as appropriate before being put into use. Precautions must
be taken to protect the integrity and privacy of the patient data archived in electronic formats.
Access to the programs must be restricted to prevent alteration or destruction of data by
unauthorized persons.
15 | P a g e
INTRODUCTION TO MANAGEMENT SYSTEM AUDITS
Audits can be distinguished as:
a. First party audits
b. Second party audits
c. Third party audits
FIRST PARTY AUDITS
First-party audits are often called internal audits. This is when someone from the
organization itself will audit a process or set of processes in the quality management system to
ensure it meets the procedure that the company has specified. This person can be an employee of
the organization or someone hired by the organization to perform the internal audits, such as a
consultant, but the important thing is that the person is acting on behalf of the company rather
than a customer or certification body. This type of audit is focused not only on whether the
company processes meet the requirements of a standard, but all rules the company has set for
itself. The audit will look for problem areas, areas where processes do not align with each other,
opportunities for improvement, and the effectiveness of the quality management system. By
design, these audits can and should be much more in depth than the other audits, since this is one
of the best ways for a company to find areas to improve upon.
SECOND PARTY AUDITS
A second-party audit is when a company performs an audit of a supplier to ensure that they are
meeting the requirements specified in the contract. These requirements may include special
control over certain processes, requirements on traceability of parts, requirements for special
cleanliness standards, requirements for specific documentation, or any of a host of other items of
special interest to that customer.
THIRD PARTY AUDITS
A third-party audit occurs when a company has decided that they want to create a
management system that conforms to a standard set of requirements and hire an independent
company to perform an audit to verify that the company has succeeded in this endeavor. These
independent companies are called certification bodies or registrars, and they are in the business
16 | P a g e
of conducting audits to compare and verify that the Management System meets all the
requirements of the chosen standard, and continues to meet the requirements on an ongoing
basis. They then provide certification to companies that they approve. This can be used to give
customers of the certified company confidence that the Management System meets the
requirements of the chosen standard.
Auditing terms and definition
Audit: systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Audit criteria: set of policies, procedures or requirements used as a reference against which
audit evidence is compared
Audit evidence: records, statements of fact or other information which are relevant to the audit
criteria and verifiable
Audit Findings: results of the evaluation of the collected audit evidence against audit criteria
Audit conclusion: outcome of an audit, after consideration of the audit objectives and all audit
findings
Audit client: organization or person requesting an audit
Auditee: organization being audited
Auditor: Person who conducts an audit
Audit team: One or more auditors conducting an audit, supported if needed by technical experts
Audit programme: Arrangements for a set of one or more audits planned for a specific time
frame and directed towards a specific purpose
Audit scope: Extent and boundaries of an audit.
Audit plan: Description of the activities and arrangements for an audit
Competence: Ability to apply knowledge and skills to achieve intended results
AUDITING PRINCIPLES
a. Integrity: the foundation of professionalism
b. Fair presentation: the obligation to report truthfully and accurately
17 | P a g e
c. Due professional care: the application of diligence and judgement in auditing
d. Confidentiality: security of information
e. Independence: the basis for the impartiality of the audit and objectivity of the audit
conclusions
f. Evidence-based approach: the rational method for reaching reliable and reproducible
audit conclusions in a systematic audit process
AUDIT OBJECTIVES
Each individual audit should be based on documented audit objectives, scope and criteria.
The audit objectives define what is to be accomplished by the individual audit and may
include the following:
determination of the extent of conformity of the management system to be audited, or
parts of it, with audit criteria;
determination of the extent of conformity of activities, processes and products with the
requirements and procedures of the management system;
evaluation of the capability of the management system to ensure compliance with legal
and contractual requirements and other requirements to which the organization is
committed;
evaluation of the effectiveness of the management system in meeting its specified
objectives;
identification of areas for potential improvement of the management system.
AUDIT SCOPE
The audit scope should be consistent with the audit programme and audit objectives. It
includes such factors as:
physical locations,
organizational units,
activities and processes to be audited, as well as the time period covered by the audit.
AUDIT CRITERIA
The audit criteria are used as a reference against which conformity is determined and may
include: applicable policies,
procedures, standards,
legal requirements,
management system requirements,
18 | P a g e
contractual requirements,
sector codes of conduct or
other planned arrangements.
ROLES AND RESPONSIBILITIES OF AUDITOR
Comply with the audit requirements
Plan and perform assigned responsibilities effectively and efficiently.
Document all observations and report the results
Verify effectiveness of corrective actions.
Retain and safeguard audit documents.
Communicate and participate in audit team meetings.
AUDITOR COMPETENCE
Auditors should possess the knowledge and skills necessary to achieve the intended
results of the audits they are expected to perform. All auditors should possess generic knowledge
and skills and should also be expected to possess some discipline and sector-specific knowledge
and skills. Audit team leaders should have the additional knowledge and skills necessary to
provide leadership to the audit team.
GENERIC KNOWLEDGE AND SKILLS OF AUDITOR
Auditors should have knowledge and skills in the areas outlined below
Audit principles, procedures and methods: knowledge and skills in this area enable the auditor
to apply the appropriate principles, procedures and methods to different audits, and to ensure that
audits are conducted in a consistent and systematic manner. An auditor should be able to do the
following:
Apply audit principles, procedures, and methods;
Time management
Prioritize and focus on matters of significance;
Effective interviewing, listening, observing
Reviewing documents, records and data;
Understand and consider the experts’ opinions;
Using sampling techniques for auditing;
Verify collected information;
19 | P a g e
Confirm the sufficiency audit evidence
Assess reliability of the audit
Use work documents
Document audit findings
Prepare appropriate audit reports;
Maintain confidentiality and security of information
Communicate effectively
Understand the types of risks
PERSONAL BEHAVIOR OF AN AUDITOR
Auditors should possess the necessary qualities to enable them to act in accordance with
the principles of auditing as described earlier. Auditors should exhibit professional behavior
during the performance of audit activities, including being:
ethical, i.e. fair, truthful, sincere, honest and discreet;
open-minded, i.e. willing to consider alternative ideas or points of view;
diplomatic, i.e. tactful in dealing with people;
observant, i.e. actively observing physical surroundings and activities;
perceptive, i.e. aware of and able to understand situations;
versatile, i.e. able to readily adapt to different situations;
tenacious, i.e. persistent and focused on achieving objectives;
decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis;
self-reliant, i.e. able to act and function independently whilst interacting effectively with
others;
acting with fortitude, i.e. able to act responsibly and ethically, even though these actions
may not always be popular and may sometimes result in disagreement or confrontation;
open to improvement, i.e. willing to learn from situations, and striving for better audit
results;
culturally sensitive, i.e. observant and respectful to the culture of the auditee;
collaborative, i.e. effectively interacting with others, including audit team members and
the auditee’s personnel.
20 | P a g e
PERFORMING AN AUDIT
AUDIT PLAN
The audit team leader should prepare an audit plan based on the information contained in
the audit programme and in the documentation provided by the auditee. The audit plan should
consider the effect of the audit activities on the auditee’s processes and provide the basis for the
agreement among the audit client, audit team and the auditee regarding the conduct of the audit.
The plan should facilitate the efficient scheduling and coordination of the audit activities in order
to achieve the objectives effectively.
Why plan?
Audit plan is used to facilitate the efficient scheduling and coordination of the audit
activities achieve the objectives effectively
What should the audit plan cover?
The audit objectives
Audit scope & criteria
Locations, dates, expected time and duration of audit
Audit methods to be used
Roles and responsibilities of:
the audit team members, as well as guides and observers
Parts of System to be audited
Any follow-up actions from a previous audit, etc.
1.1 PREPARING WORK DOCUMENTS
The audit team members should collect and review the information relevant to their audit
assignments and prepare work documents, as necessary, for reference and for recording audit
evidence. Such work documents may include the following:
checklists;
audit sampling plans;
forms for recording information, such as supporting evidence, audit findings and records
of meetings.
The use of checklists and forms should not restrict the extent of audit activities, which
can change as a result of information collected during the audit.
Work documents, including records resulting from their use, should be retained at least
until audit completion, or as specified in the audit plan. Those documents involving confidential
or proprietary information should be suitably safeguarded at all times by the audit team
members.
21 | P a g e
Questions to consider when preparing work documents:
a. Which audit record will be created by using this work document?
b. Which audit activity is linked to this particular work document?
c. Who will be the user of this work document?
d. What information is needed to prepare this work document?
For combined audits, work documents should be developed to avoid duplication of audit
activities by:
clustering of similar requirements from different criteria;
coordinating the content of related checklists and questionnaires.
The work documents should be adequate to address all those elements of the management system
within the audit scope and may be provided in any media.
CHECKLISTS
Purpose
Aide Memoire
Provide a framework for the audit
Ensures nothing is missed out
Methods:
Checklists can be made for verifying based on:
Requirements of ISO 9001:2015 standard
Requirements of Organization’s QMS documents
Objective of the audit etc.
Advantage:
Audit checklist will help ensure the audit is conducted systematically, by promoting
planning using a consistent approach
Disadvantage:
Rigid adherence may lead to missing audit trails.
SAMPLING
Audit sampling takes place when it is not practical or cost effective to examine all
available information during an audit, e.g. records are too numerous or too dispersed
geographically to justify the examination of every item in the population. Audit sampling of a
22 | P a g e
large population is the process of selecting less than 100 % of the items within the total available
data set (population) to obtain and evaluate evidence about some characteristic of that
population, in order to form a conclusion concerning the population.
The objective of audit sampling is to provide information for the auditor to have confidence that
the audit objectives can or will be achieved.
When sampling, consideration should be given to the quality of the available data, as sampling
insufficient and inaccurate data will not provide a useful result. The selection of an appropriate
sample should be based on both the sampling method and the type of data required, e.g. to infer a
particular behavior pattern or draw inferences across a population.
Reporting on the sample selected could take into account the sample size, selection
method and estimates made based on the sample and the confidence level.
COLLECTING AND VERIFYING INFORMATION
During the audit, information relevant to the audit objectives, scope and criteria,
including information relating to interfaces between functions, activities and processes, should
be collected by means of appropriate sampling and should be verified. Only information that is
verifiable should be accepted as audit evidence. Audit evidence leading to audit findings should
be recorded. If, during the collection of evidence, the audit team becomes aware of any new or
changed circumstances or risks, these should be addressed by the team accordingly.
SELECTING THE SOURCE OF INFORMATION
The sources of information selected may vary according to the scope and complexity of the audit
and may include the following:
interviews with employees and other persons;
observations of activities and the surrounding work environment and conditions;
Source Sampling Evidence
Evaluate Findings Review
Conclusions
23 | P a g e
documents, such as policies, objectives, plans, procedures, standards, instructions,
licenses and permits, specifications, drawings, contracts and orders;
records, such as inspection records, minutes of meetings, audit reports, records of
monitoring and the results of measurements;
data summaries, analyses and performance indicators;
information on the auditee’s sampling plans and on the procedures for the control of
sampling and measurement processes;
reports from other sources, e.g. customer feedback, external surveys and
measurements, other relevant information from external parties and supplier ratings;
databases and websites;
simulation and modeling.
METHODS:
Interviews
Observations
Review of documents, including records
INTERVIEWING
Purpose:
Interviewing in an auditing context is held with persons from appropriate levels and
functions performing activities or tasks and is one of the important means of collecting
information.
It should be carried out in a manner adapted to the situation and the person interviewed,
either face to face or via other means of communication.
The auditor should consider the following:
interviews should be held with persons from appropriate levels and functions performing
activities or tasks within the audit scope;
interviews should normally be conducted during normal working hours and, where
practical, at the normal workplace of the person being interviewed;
attempt to put the person being interviewed at ease prior to and during the interview;
the reason for the interview and any note taking should be explained;
careful selection of the type of question used (e.g. open, closed, leading questions);
the results from the interview should be summarized and reviewed with the interviewed
person;
the interviewed persons should be thanked for their participation and cooperation.
24 | P a g e
1.2 TECHNIQUES FOR ASKING QUESTIONS:
Every audit has objectives and auditors who lose sight of this will not be effective
It is important for an auditor to always keep the audit objectives in mind in order to be effective
in collecting information. For this the interviewer has to ask the right questions. Various
questioning techniques are:
Open questions
These types of questions elicit longer answers. They usually begin with “what?”, “Why?”,
“How?”, “When?”, “Where?” etc. An open question asks the respondent for her or his
knowledge, opinion or feelings. “Tell me”, “Describe” can also be used. For example:
o Describe your process.
o Why is it done this way?
o Tell me what happens next? Etc.
Open questions are good for:
o Developing an open conversation
o Finding out more detail
o Finding out the auditee’s opinion etc.
Closed questions
A closed question usually receives a single word or very short factual answer.
For example:
o Do you measure your process? – the answer is usually a “yes” or “no”
o Are you recording your process measurements?
o Where in the processes do you verify the results? – a short factual answer like
during ….
Closed questions are good for:
o Testing your or the auditee’s understanding.
o Concluding a discussion or making a decision
o Frame a situation
A misplaced closed question, on the other hand, can kill the interviewing process and
lead to an awkward silence and so are best avoided when an interview is in full flow.
Probing questions
25 | P a g e
Probing questions is a strategy for finding more details. This can be used to investigate
whether there is proof of what is being said by the auditee. An effective way of probing is to use
“5 Whys” method which can help you to get to the root of a problem.
This questioning method is good for:
o Gaining clarification
o Drawing information out of the auditee who are trying to avoid telling you
something.
Leading questions
This method tries to lead the auditee to your way of thinking:
For example – “How late do you think the delivery of outputs will be delayed?” This assumes
that delivery will not take place on time.
This type of questions may be good for getting an answer that you want but at the same
time making the auditee feel that he or she has a choice. It is also good for closing and agreeing
on an audit finding.
Funnel questions
This technique involves starting with general questions, then homing in on a point in each
answer and asking more and more details at each level.
This technique is good for:
o Finding out more details about a specific area or context.
o Getting the interest or increasing the confidence of the auditee
Where to use?
By knowing where to use these techniques, you can gain the information more effectively.
For Learning: Ask open and closed questions and use probing questions.
Relationship building: To evoke positive responses. E.g. Asking about what they do or
their opinion etc.
Avoiding misunderstandings: use probing questions
De-fusing a heated situation: use funnel questions, e.g. to go into more details about
their grievance.
Persuading the auditee: by asking a series of open questions so that the auditee
understands the reasons behind your point of view.
26 | P a g e
ACTIVE LISTENING:
Listening is an important skill an auditor should develop. The effectiveness of an audit
interview depends a lot on this skill of an auditor. It also helps to develop an open and positive
relation ship with the person being audited.
For active listening, an auditor should:
• Show interest
• Maintain eye-contact
• Paraphrase rather than questioning
• Concentrate on what others are saying
• Avoid early evaluations
• Avoid getting defensive
• Listen (and observe) for feelings
GENERATING AUDIT FINDINGS
Audit evidence should be evaluated against the audit criteria in order to determine audit
findings. Audit findings can indicate conformity or nonconformity with audit criteria. When
specified by the audit plan, individual audit findings should include conformity and good
practices along with their supporting evidence, opportunities for improvement, and any
recommendations to the auditee.
Nonconformities and their supporting audit evidence should be recorded.
Nonconformities may be graded. They should be reviewed with the auditee in order to obtain
acknowledgement that the audit evidence is accurate, and that the nonconformities are
understood. Every attempt should be made to resolve any diverging opinions concerning the
audit evidence or findings, and unresolved points should be recorded.
The audit team should meet as needed to review the audit findings at appropriate stages
during the audit.
NC Scenario 1
During Internal Audit, you cross check the plasma test. In one of the blood samples collected for
plasma test, when asked the lab technician about the method he followed in completing a test he
says that he collects the plasma in 1.5ml green/yellow-top(plasma separator) tube for line draws
and 2 ml for off-site specimens in gold-top serum separator tube.
But when you checked in the procedure, you find that the measurement mentioned in 3ml and
3.5ml respectively. When enquired, he says that now recently the procedure has changed but he
27 | P a g e
still follows the method. But the lab-manager says that he was not aware that less amount is still
drawn for the test.
Failure: Personal workings under the laboratory are not aware about the criteria followed.
Evidence: The plasma in 1.5ml green/yellow-top(plasma separator) tube for line draws and 2 ml
for off-site specimens in gold-top serum separator tube, you find that the measurement
mentioned in 3ml and 3.5ml respectively.
Requirement: 5.1.5 Training
The laboratory shall provide training for all personnel which includes the following areas: b) assigned work processes and procedures.
NC Scenario 2
During an Audit, you check the refrigerator for storing the samples and solutions. The
temperature was set at -18deg c, when you measure the inner temperature it shows -14 deg
c. When asked about it the lab-assistant replied that this often happens during compressor
failure and if we come across we inform the maintenance department to rectify the same.
When checked the maintenance record, it shows that it was rectified twice in last 2 months.
When you ask about the validation of setting temperature and for the temperature achieved
lab-assistant replies that no such practice is in place. If the compressor starts working, the
maintenance engineer will close the complaint at that point.
Failure: The laboratory has not examined the actual cause of failure and maintained the
equipment
Evidence: The temperature was set at -18deg c, when you measure the inner temperature it shows -14 deg c. It shows that it was rectified twice in last 2 months. When you ask about the validation of setting temperature and for the temperature achieved lab-assistant replies that no such practice is in place. Requirement: 5.3.1.5 Equipment maintenance and repair
Whenever equipment is found to be defective, it shall be taken out of service and clearly labelled. The laboratory shall ensure that defective equipment is not used until it has been repaired and shown by verification to meet specified acceptance criteria. The laboratory shall examine the effect of any defects on previous examinations and institute immediate action or corrective action
DETERMINING AUDIT FINDINGS
When determining audit findings, the following should be considered:
follow-up of previous audit records and conclusions;
28 | P a g e
requirements of audit client;
findings exceeding normal practice, or opportunities for improvement;
sample size;
categorization (if any) of the audit findings;
RECORDING CONFORMITIES
For records of conformity, the following should be considered:
identification of the audit criteria against which conformity is shown;
audit evidence to support conformity;
declaration of conformity, if applicable.
Recording nonconformities
For records of nonconformity, the following should be considered:
description of or reference to audit criteria;
nonconformity declaration;
audit evidence;
related audit findings, if applicable.
REPORTING AN AUDIT
NONCONFORMANCE REPORT
A nonconformance report (NCR) should be:
Clearly written – quote the requirement (assign the appropriate clause of the standard
and/or organization’s QMS requirement) (Attribution of reference)
Cite the situation –how the requirement have not been fulfilled? (Explanation)
Describe the objective evidence such that it is verifiable. (Observation)
COMPLETING THE AUDIT
The audit is completed when all planned audit activities have been carried out, or as
otherwise agreed with the audit client (e.g. there might be an unexpected situation that prevents
the audit being completed according to the plan).
Documents pertaining to the audit should be retained or destroyed by agreement between
the participating parties and in accordance with audit programme procedures and applicable
requirements.
Unless required by law, the audit team and the person managing the audit programme
should not disclose the contents of documents, any other information obtained during the audit,
29 | P a g e
or the audit report, to any other party without the explicit approval of the audit client and, where
appropriate, the approval of the auditee. If disclosure of the contents of an audit document is
required, the audit client and auditee should be informed as soon as possible.
Lessons learned from the audit should be entered into the continual improvement process
of the management system of the audited organizations.
CONDUCTING AUDIT FOLLOW-UP
The conclusions of the audit can, depending on the audit objectives, indicate the need for
corrections, or
for corrective, preventive or improvement actions. Such actions are usually decided and
undertaken by the auditee within an agreed timeframe. As appropriate, the auditee should keep
the person managing the audit programme and the audit team informed of the status of these
actions.
The completion and effectiveness of these actions should be verified. This verification
may be part of a subsequent audit.
CORRECTION AND CORRECTIVE ACTION
CORRECTION:
An action taken immediately to set right nonconformity in the short term. For example
setting right a defective product or correcting an incorrect invoice.
CORRECTIVE ACTION:
• Taken to eliminate the cause of detected nonconformity.
• Eliminate the root cause(s) to prevent recurrence of the nonconformity.
Both correction and corrective action may be required in many scenarios.
VERIFYING EFFECTIVENESS OF CORRECTIVE ACTIONS
On proposed actions:
The response of an organization in implementing corrective action is to be reviewed before
acceptance.
Important elements to verify in the review:
• Verify the appropriateness of root causes
• Proposed actions – clear and concise?
• Are they thorough and accurate?
30 | P a g e
Post implementation
QMS auditors are responsible to verify effectiveness of corrective actions.
• Verify correction
• Verify the effectiveness of corrective actions to prevent recurrence of nonconformity.
• Verify evidence supporting the claim that a corrective action has been fully implemented