Microsoft ® Official Course Module 11 Configuring Encryption and Advanced Auditing.
Auditing Course All Slidespdf (1) (1)
-
Upload
aquanautawhat -
Category
Documents
-
view
9 -
download
2
description
Transcript of Auditing Course All Slidespdf (1) (1)
-
QualityGurus.com
Overview of Auditing Process
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Planning and Preparation
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Opening Meeting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Audit Interviews / Collect Information
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Closing Meeting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Reporting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Follow-up and Closure
-
QualityGurus.com
Audit Fundamentals - Agenda
Terms
Audit Purpose
Audit Types
Audit Criteria
Roles & Responsibilities
Liability
-
QualityGurus.com
AuditSystematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
-
QualityGurus.com
AuditSystematic,
independent and
documented process
for
obtaining audit evidence2 and
evaluating it objectively to determine the extent to which the audit criteria1 are fulfilled.
-
QualityGurus.com
Audit CriteriaSet of policies, procedures or requirements used as a reference against which the audit evidence is compared.
-
QualityGurus.com
Audit CriteriaSet of policies,
procedures or
requirements
used as a reference
against which the audit evidence2 is compared.
-
QualityGurus.com
Audit EvidenceRecords, statement of facts or other information which are relevant to the audit criteria and verifiable.
-
QualityGurus.com
Audit EvidenceRecords,
statement of facts or
other information
which are relevant to the audit criteria1
and
verifiable.
-
QualityGurus.com
System, Product and Process Audits
System
Process
Product
-
QualityGurus.com
Product Audits
Assessment of fitness for use
Products meets the design requirements
-
QualityGurus.com
Process Audits
One specific process, activity or function
To compare the actual process with the documented requirements of the process.
-
QualityGurus.com
System Audits
Comprehensive audit of multiple processes
Includes the interaction between processes
-
QualityGurus.com
System, Product and Process Audits
System
Process
Product
-
QualityGurus.com
First, Second and Third Party Audits
InternalFirst Party
By ClientSecond Party
By a third party appointed by client
Third Party
-
QualityGurus.com
First Party Audits
Internal audits
Performed within an organization
Auditors have no vested interest in the area being audited
-
QualityGurus.com
Second Party Audits
Performed by Customers on suppliers
Before or after awarding a contract
-
QualityGurus.com
Third Party Audits
Performed by an audit organization independent of the customer-supplier relationship
Free from any conflict of interest
-
QualityGurus.com
First, Second and Third Party Audits
InternalFirst Party
ExternalSecond Party
ExternalThird Party
-
QualityGurus.com
Benefits of Internal Audits
Identify risks
Identify opportunities for improvement
Verify products fit for use
Procedures exist and are effective
Remedial actions are taken that are effective
Find the problems before the customer does
-
QualityGurus.com
Benefits of Internal Audits
Reduce rework, rejections
Avoid lawsuits by meeting legal / regulatory needs
Reduced cost
Build customer confidence
Maintain market standing and/or reputation
Increase sales
-
QualityGurus.com
Audit Objective, Scope, CriteriaAudit Objectives what is to be accomplished by the auditdefined by the audit client.
Audit Scope extent and boundaries of the audit,Satisfies the purpose of the audit
Audit Criteriareference against which conformity is determined
-
QualityGurus.com
Audit ObjectivesAudit objective should be consistent with the company objectives.
Audit objectives should be realistic and achievable
Objective to provide a clear focus for the audit.
-
QualityGurus.com
Audit ObjectivesExamples of audit programme objectives include the following:
to meet requirements for certification to a management system standard;
to verify conformance with contractual requirements;
to obtain and maintain confidence in the capability of a supplier;
to contribute to the improvement of the management system.
-
QualityGurus.com
Audit ScopeExtent and boundaries of an audit
Clearly defining the audit scope is important in determining the budget, human resources, and time required for the audit
Clear scope of the audit helps increase the efficiency and effectiveness of the audit.
-
QualityGurus.com
Audit Criteria
Set of policies, procedures or requirements used as a reference against which audit evidences are compared.
-
QualityGurus.com
Audit CriteriaSuppliers Quality System
Contracts
Purchase orders
Customer specifications
National or international standards
Industry codes and standards
Laws and regulations
-
QualityGurus.com
Key Audit Participants
Client
Auditor
Auditee
-
QualityGurus.com
Audit Participants
Client organization or person requesting an audit.
Auditor - person who conducts an audit
Auditee organization or individual being audited
-
QualityGurus.com
Client Responsibilities
Initiates audit
Determines audit purpose and scope
Provide resources
Receives the audit report
Determine the report distribution
Determines actions
-
QualityGurus.com
Auditor Responsibilities
Understand the purpose, scope and audit criteria.
Plans the audit
Perform the audit
Collect audit evidences
Analyze audit evidences
Reports the audit
Follows up the action on audit findings
-
QualityGurus.com
Auditee Responsibilities
Inform the staff
Provide resources (interview room, communications and clerical support)
Provide escorts
Show objective evidence
Co-operate
Determine and initiate corrective actions
-
QualityGurus.com
Other Audit Participants
Technical Expert
Observer
Guide
-
QualityGurus.com
Other Audit Participants
Technical expert - person who provides specific knowledge or expertise to the audit team.
Observer person who accompanies the audit team but does not audit.
Guide - person appointed by auditee to assist the audit team.
-
QualityGurus.com
IndependenceAuditors are independent when they render impartial and unbiased judgment in the conduct of audit.
Conflict of interest is a situation in which an internal auditor has a competing professional or personal interest.
Audit independence is essentially a state of mind. Internal auditors can not be physically independent from the organization they are working for, but they can always stay objective.
-
QualityGurus.com
ObjectivityObjectivity is a mental attitude which auditors should maintain while performing engagements.
The auditor should have an impartial, un-biased attitude and avoid conflict of interest situations.
It is sometimes described as independence of mind.
auditors are not to accept fees, gifts, or entertainment that may create the appearance that the auditor's objectivity has been impaired.
-
QualityGurus.com
Overview of Auditing Process
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Planning and Preparation
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Opening Meeting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Audit Interviews / Collect Information
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Closing Meeting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Reporting
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Follow-up and Closure
-
QualityGurus.com
Audit ProgrammeAudits are planned and documented
Formal and systematic
Are never informal
-
QualityGurus.com
Audit ProgrammeAn audit programme shall be planned, taking into consideration
the status of the processes
importance of the processes
areas to be audited,
the results of previous audits
Frequency also depends on Criticality of product or service
-
QualityGurus.com
Audit ResourcesThe number and composition of the auditor team depend upon:
Objective, Scope, Depth of auditCompetence of team membersTeam work, and ability to interact effectively with auditeestatutory, regulatory, contractual and accreditation / certification requirements,
-
QualityGurus.com
Audit ResourcesThe number and composition of the auditor team depend upon:
Language / cultural issuesType of audit (System, Process, Product)Specific technical expertiseLocation of auditCost considerationTime available
-
QualityGurus.com
Notify Auditee
Advance/formal notice to auditee
Gives auditee an opportunity to get their house in order
Incentive to improve their control systems
Letter to auditee Quality manager and top management
Should cover the requirements of the audit team
-
QualityGurus.com
Notify AuditeeContents of audit notification
General audit objectiveNames of audit team and team leaderOfficial contacts of lead auditorTime and location of entrance.Method of distribution of final audit report.
-
QualityGurus.com
Notify AuditeeContents of audit notification
Identification of areas of special concern Tentative audit schedule (to be reconfirmed in the opening meeting)Documents to be submitted prior to the audit for review.
-
QualityGurus.com
Document ReviewReview documents (criteria) related to the auditee organization
Contract, Specifications,
Quality Manual,
Procedures, Guidelines
Organization Charts
Codes and Regulations etc.
Previous audit reports/programs
-
QualityGurus.com
Document ReviewAdvantages of in-office review
Gain good understanding of the clientEnable the team to prepare relevant questions to the client during entrance meeting.Help the team to understand well the criteria (what is to be done; by whom and when).Saves the audit investigation time
-
QualityGurus.com
Identify Potential RisksIdentifying areas for audit emphasis (risk
area). These include:-Areas identified/documented in Risk Register.Area of high possibility of mis-management Where there is large volumes of transactions.Where management has expressed concerns.Where prior audit disclosed major weakness/deficiencies.
-
QualityGurus.com
Determining Auditor CompetenceFactors to consider:
Size, nature and complexity of organization to be audited.
Complexity of the management system to be audited
-
QualityGurus.com
Determining Auditor CompetencePersonal Behaviour
Auditing KnowledgeAudit principles, procedures and methods
Management system
Technical KnowledgeContractual requirements
Codes and standards
Discipline / Sector specific
-
QualityGurus.com
Personal Behaviour
Ethical
Open-minded
Diplomatic
Perceptive
Versatile
Tenacious
Decisive
Self-reliant
Acting with fortitude
Open to improvement
Culturally sensitive
Collaborative
-
QualityGurus.com
Negative Characteristics
Argumentative
Opinionated
Over-conclusive
Aggressive
Inconsiderate
Inconsistency
Inflexibility
Lazy
Impractical
Know-it-all
Indecisive
-
QualityGurus.com
Auditing Knowledge
Plan and organize
Time management
Prioritize and focus on significant issues
Interview, listen, observe and review documents
Communicate effectively
Understand the risks associated
-
QualityGurus.com
Management System Knowledge
Knowledge of Management Systems (e.g. ISO 9001)
-
QualityGurus.com
Technical KnowledgeDiscipline/ Sector specific knowledge
Legal requirements related to sector
Codes and standards
Contract / Purchase Order
-
QualityGurus.com
Role of Lead AuditorBalance the strength and weaknesses of team members
Manage the audit process
Represent the audit team
Lead the audit team
Prepare and complete the audit report
-
QualityGurus.com
Auditors Evaluation Criteria
Personal Behaviour
Auditing Knowledge
Technical Knowledge
Education
Work experience
Training
Audit Experience
-
QualityGurus.com
Audit LogisticsTime / location of
Arrival Opening meetingInterviewsClosing meeting
Facilities for the audit teamConference roomInternet connectionPersonal Protective Equipment (PPE)
-
QualityGurus.com
Audit LogisticsRestrictions
Out of bound areasUse of Camera
TravelTravel bookingsHotelTransport
-
QualityGurus.com
Checklists
Checklists
are useful
aides-mmoire.
-
QualityGurus.com
Purpose of the Audit ChecklistHelp in time management
Helps in note taking
Memory tool
To ensure that all areas have been covered
Evidence of audit effectiveness
The checklists should be a good servant, never the master, of the auditor.
-
QualityGurus.com
Generic vs Specific Checklists
Generic checklists
Supplement with specific items
Specific Checklists
Prepared for a specific use.
-
QualityGurus.com
ChecklistsDeveloped by Lead auditor or auditor
Based on audit purpose and scope
Questions should be open-ended
Should have space to record response
Sent to auditee prior to audit, usually at the time of notification
-
QualityGurus.com
Scoring vs Non-scoring ChecklistsScoring checklists:
Used for comparison purpose
Score may become goal, bias in marking
Non-scoring checklists:
Good for continuous improvement and are flexible
-
QualityGurus.com
Advantages of ChecklistsPromotes planning for the audit
Thorough coverage of the scope
Time management during audit
Consistent audit approach
Serves as a memory aid
Objective evidence that audit was performed
Information base for future audits
-
QualityGurus.com
Disadvantages of Checklists
Questionnaires narrow the vision
Questionnaires may obstruct communication
Too strict following of the checklist may result in omission of important audit trails
Generic checklists may not add any value
-
QualityGurus.com
Auditing Strategy
Trace forward
Trace backward
Random selection
-
QualityGurus.com
Auditing Strategy
Trace ForwardExamination from beginning to the end
Beneficial to get the whole picture from the start to finish
Trace BackwardBeginning at the end and working back through the process
Understanding of end objective is attained right away
All product records exist
-
QualityGurus.com
Auditing Strategy
Random SelectionAlternate method instead of tracing
Advantage:Where time and personnel are limitedMost frequently usedUse of flowchart to identify important steps in flowFlexible and saves time
Disadvantage:Additional note takingDifficulty in understanding the process flowExperienced auditor required
-
QualityGurus.com
Auditing Strategy
Department Audit (or Vertical audit)Several system elements are audited in a single department
Saves times (+)
Judges company on management of one department (-)
Auditor should be very familiar with the requirements
-
QualityGurus.com
Auditing Strategy
Element Audit method (Horizontal)To satisfy elements on checklist several departments audited
Adequacy of the system is easier for auditor to judgeMore time to trace each element
-
QualityGurus.com
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
Opening Meeting
-
QualityGurus.com
Planning
Select the team
Prepare plan
Prepare working documents
Logistics
-
QualityGurus.com
Notify the Auditee
Audit Plan
TimetableChecklists
-
QualityGurus.com
Notify the Audit Team
Dates & durationDetailed planIndividual tasksResults of document reviewAny special requirements
-
QualityGurus.com
Opening Meetings Participants
Auditee senior management (minimum
Management Rep.)
Quality Manager
Audit guides
All audit team participates
Lead Auditor chairs the meeting
-
QualityGurus.com
Opening Meeting Agenda
Safety topic (evacuation, PPE)
Introduce the team
Objective, scope & criteria
Review audit plan and meeting times
Explain about sampling
Confidentiality
Method of reporting (grading)
-
QualityGurus.com
Opening Meeting Agenda
Confirm staff aware & available
Confirm resources and facilities
Confirm availability of guides
Reporting on findings
Closing meeting time and location
Questions
-
QualityGurus.com
Audit Interview / Data Collection
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Audit Interview / Data Collection
Questioning / Interviewing
Observation / Verification
Document review / verification
Taking Notes
Corroboration
Generate Audit Findings
Prepare Audit Conclusion
-
QualityGurus.com
Questioning Technique
Questions should:
Yield the relevant information
Should not suggest answers
Should not contain emotive words
-
QualityGurus.com
Questioning Technique
Ask questions in conversational manner
Weave questions into general conversation
-
QualityGurus.com
Questioning Technique
Open questions
Closed questions
Clarifying questions
-
QualityGurus.com
Open Questions
What? Why? Where? Who? When? How?
Advantage: Yield informative answer
Limitation: May lead to conversation get side-tracked!
One way to avoid diluting:
Show me!
-
QualityGurus.com
Closed Questions
Closed questions - answer: Yes/No
Open questions - answer: few words
Intended to yield very specific information
Disadvantages:Do not bring much informationIf used too often may create Impression of cross -examination
-
QualityGurus.com
Clarifying Questions
Intended to clarify, retrieve full information and prevent misunderstanding
Disadvantages:If used too often may create impression that you were not listeningAre time-consumingIf you are not prepared to listen in full dont ask them
-
QualityGurus.com
Tips for a Successful Audit
Establish suitable climate
Put auditee at ease
Use proper questioning technique
Use open questions and sparingly closed questions
-
QualityGurus.com
Observations
Keep observing the physical evidence:ProductsEquipmentInstrumentsConditionsOperations
-
QualityGurus.com
Observations
What is it used for?
Need it be calibrated?
Was it calibrated?
Is there a record?
What is the reading?
Is the reading within the acceptable range?
-
QualityGurus.com
Observations
Identification?
Status with respect to measurement and monitoring?
Storage location & conditions?
-
QualityGurus.com
Document Review
Quality Manual
Procedures
Work Instructions
Records
-
QualityGurus.com
Document Review
Document review to determine the conformity to the system.
-
QualityGurus.com
Document Review
Sample of Records:
No time to check everything
Select representative sample
No set percentage
Representation of actions
Cover relevant period
-
QualityGurus.com
Notes Taking
Explain the need to take notes to auditee
Make your notes:ComprehensiveAccuratePreciseLegible
-
QualityGurus.com
Notes Taking
Documents:Title and document number
Revision number
Issue date
Location where seen the document
Part:Part description
Identification number
-
QualityGurus.com
Notes Taking
Person:Name
Title
Department
-
QualityGurus.com
CorroborationTo strengthen with other evidence, to make more certain.
More important for data/information which could be questionable/doubtful.
Confirming or verifying using multiple sources.
-
QualityGurus.com
Generate Audit FindingsEvaluate audit evidence against audit criteria
Audit finding can be conformity or nonconformity
Nonconformity may be graded
Review with auditee for accuracy of audit evidence
Review audit findings with audit team at appropriate stages
-
QualityGurus.com
Audit ConclusionAudit team meets prior to the closing meeting to:
Review audit findings
Agree on audit conclusions
Prepare recommendations, if specified by audit plan
Discuss audit follow-up
Achievement of audit objective, coverage of audit scope, and fulfilment of audit criteria.
-
QualityGurus.com
Closing Meeting
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Closing Meeting Participants
Auditee senior management (minimum
Management Rep.)
Quality Manager
Audit guides
All audit team participates
Lead Auditor chairs the meeting
-
QualityGurus.com
Closing Meeting AgendaSafety topic
Explain about sampling
Method of reporting (grading)
Process of handling of audit findings
Presentation of audit findings
Draft report
Recommendations?
Any disagreement
-
QualityGurus.com
Audit Report
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Audit Report ResponsibilityProduct of the Audit
The Lead Auditor is responsible for content, accuracy and submittal in a timely fashion
-
QualityGurus.com
Audit Report EthicsFormal Audit report should begin immediately after the close-out meeting, while audit details are fresh.
Findings not from the exit meeting or not included in the draft audit report.
Pressure from management to alter the report
-
QualityGurus.com
Audit Report TimingComplete as soon as possible
Problems with Formal Report procrastination
-The longer it is put off, the lesser interest in pursuing the corrective actions
-Comes to a backseat because of more other priorities
-A signal to the auditee management not important as was initially believed
-
QualityGurus.com
What not to be includedConfidential or proprietary information
Subjective opinions
Recommendation
Minor deficiencies discovered and corrected during the audit (maintain only in the working papers future audits)
-
QualityGurus.com
What not to be includedName of individual employees
Nit-pick (trivial many)
Emotional or argument statements
Items not presented in the draft report or exit interview
More than six or seven major findings
-
QualityGurus.com
ContentsContent of a Standard formal report format
-Cover sheet
-Main body of the report
-Findings and Observations
-
QualityGurus.com
ContentsThe Cover Sheet
- Audit reference number
- Date of issue
- Company name
- Location
- Area/function audited
-
QualityGurus.com
ContentsThe Cover Sheet
- Name of Auditor / Lead Auditor
- Auditees interviewed
- Audit purpose, scope, criteria
- Distribution list
- An executive summary of findings
-
QualityGurus.com
ContentsMain Body of the Report
- Strengths or Positive Findings
- Audit findings and evidences
- A statement on the degree to which the audit criteria have been fulfilled.
- Nonconformities to be addressed.
-
QualityGurus.com
Contents per ISO 19011:2011The audit report should provide a complete, accurate, concise and clear record of the audit and should include or refer to the following:Audit objective
Audit scope
Audit client
Audit team leader & team members
Date and location of the audit activities
Audit criteria
Audit findings
Audit conclusions
-
QualityGurus.com
Report RetentionImportance of Retaining
Follow up on continuing Corrective Action successDeveloping future checklistsStarting point for the future auditsPotential litigation purpose
-
QualityGurus.com
Report RetentionHow long to retain?
As required by the Audit Program, or Client
Companys record retention policy
-
QualityGurus.com
Follow-up and Closure
Planning and Preparation
Opening Meeting
Audit Interviews
Closing Meeting
Reporting
Follow-up and Closure
-
QualityGurus.com
Audit Follow-upDepending upon the audit objective auditee undertakes
Correction
Corrective ActionPreventive Action
Within agreed timeframe
-
QualityGurus.com
Audit Follow-upAuditee keep audit team informed of these actions
Completion and effectiveness is verified
Verification may be part of a subsequent audit.
-
QualityGurus.com
Audit ClosureAudit is complete when all planned activities have been carried out, or agreed with the audit client.
Audit records to be retained or destroyed. (as per procedure or applicable requirements)