— Logistics and communication arrangements
— Any specific measures to be taken to address the effect of uncertainty on achieving the audit objectives
— Matters related to confidentiality and information security
— Any follow- up actions from a previous audit
— Any follow- up activities to the planned audit
— Coordination with other audit activities, in the case of a joint audit
Audited Organization: ABC Industries, ABC Fla.
Purpose:
To assess conformance (compliance) and effectiveness of the management system against internal and external performance standards and to report findings.
Scope of the audit:
The ABC production facility and support activities will be included in the audit. The audit includes all departments that support the production of gizmos that are responsible for meeting ISO 9001 requirements. The areas of interest include the purchasing, quality assurance, laboratory, distribution, order entry, scheduling, production, and training departments.
Requirements:
As specified in ISO 9001 and existing ABC company policies and procedures.
Other regulatory requirements and industry standards Applicable documents:
The Quality (policy) Manual(s)—QM9001
Unit procedures and records that address the ISO 9001 requirements Overall schedule (detailed interview schedule to follow):
March 23, 20XX
8:00 A.M. Orientation for auditors (safety and environment) 9:00 A.M. Opening meeting (for auditees)
9:30 A.M. Tour/review documents 10:30 A.M.–4:00 P.M. Interviews and observations 4:00 P.M.–5:00 P.M. Audit team meeting March 24, 20XX
8:00 A.M.–8:30 A.M. Daily briefing with ABC coordinator 8:30 A.M.–1:00 P.M. Interviews and observations continued 1:00 P.M.–3:00 P.M. Audit team meeting, preparation of report 3:00 P.M.–4:00 P.M. Exit meeting
Team members:
John Smith, lead auditor, ASQ CQA Jane Doe, ASQ CQA
Approved:
Audit Organization
Audit Plan—2/2/XX
Approved:
ABC Industries Figure 6.1 Audit plan.
Part IIa
During the audit preparation phase, the auditing organization must ensure that the audit’s purpose and scope are defined and identify the needed resources and applicable reference standard. The audit team is selected based on these criteria.
The lead auditor then secures the appropriate documents, prepares (or ensures that other members of the audit team prepare) applicable checklists and other working papers, and determines the proper data collection methods. The written audit plan should be signed by the lead auditor and approved by the audit pro-gram manager, the client, or the auditee. The plan should be reviewed, approved, and presented to the auditee before the on- site audit activities begin.
The following topics are discussed in this chapter:
• Elements of the audit planning process
• Auditor selection
• Audit-related documentation
• Logistics
• Auditing tools and working papers
• Auditing strategies
• Communication and distribution of the audit plan
1. eLeMeNTs oF The aUdIT PLaNNINg PRoCess Identification of authority
A very important step is to verify the authority to perform the audit. “By specify-ing the authority for the audit to all involved parties (includspecify-ing your audit boss and other users of the audit), you confer legitimacy to the audit and remove (or minimize) those adverse feelings. Of course, another reason to verify your author-ity is to avoid wasting time preparing for something not authorized.”1
The authority to perform an audit may come from a single source or a combi-nation of sources. The important thing is not where the authority comes from but that it does indeed exist. Without a specific authority source that permits an audit, an auditor has no right to perform one. The authority to perform an audit may come from inside or outside the auditee organization. Internally, authority may come from an organization’s chain of command, such as the president, the direc-tor, or a department manager. Externally, authority may reside in purchase agree-ments approved by an officer of the company, industry standards adopted by the organization, or government regulations enacted by elected officials. Authority to conduct an audit comes from a person. If the authority does not come directly from a person, it may be in documents approved by persons of authority.
Internal Sources
Internal sources of authority are either organizational or hierarchical. The term organization describes functions or groups but does not rank them. The word hier-archy refers to status, particularly among individuals. Internal audit authority can come from either source or a combination, depending on the company’s structure.
Part IIa
Organization
The source of authority for the performance of internal audits usually resides in an approved document—often called a quality, environmental, or safety manual—
that describes the organization’s management system. This document should define the authority of certain groups or individuals to perform audits.
At other times, a company’s policy defines and authorizes audits. If, for exam-ple, an organization agrees to meet certain industry standards voluntarily, then the organization policy specifies that those standards will be met. In this case, an audit is a planned group of activities to assure management that the organization is meeting those industry standards, which are usually promoted as voluntary, but which are often required of organizations to be competitive in the industry.
Sometimes an organization decides to adopt or adapt certain criteria even though it is not required to do so. For example, an organization may elect to meet ISO 9001 or ISO 14001 standards even though it has no intention of applying for registration/certification. Likewise, criteria for national, state, or regional quality awards may be used as a basis for business improvement even when an organiza-tion has no intenorganiza-tion of applying for the award.
Hierarchy
Hierarchy is the chain of command that controls how work is delegated and how responsibilities are assigned within an organization. Rather than being driven by approved documents, as in the case of organizational authority, the decision to conduct an audit is driven by the people who have the authority to do so. The audit authority must be higher in the organizational structure than the functions being audited. For example, it would be extremely difficult for a division or department of a company to commission an audit of corporate headquarters. But the vice pres-ident of operations might request a quality or environmental audit of department operations. A department manager may request a series of process audits to be conducted on a new or existing manufacturing step or service. This kind of audit is not normally defined or required by the organization’s policies and procedures, and it is usually requested at a higher level to address a specific need. The client in these cases would be the vice president of operations or the department manager.
External Sources
At times, the authority for an audit is external to the auditee organization, as in the case of authority specified by a contract, standard, or regulatory body.
Contract
The authority to perform external second- party audits should reside in the pur-chasing agreement (a contract or purchase order) between an organization and its suppliers. Sometimes this authority is not readily visible; it may be included in a section on rights of access. A rights-of-access clause gives a customer or regula-tory body the right to inspect or audit a supplier facility, product, or service. The clause usually specifies reasonable access during normal business hours. In the United States, the Federal Acquisition Regulations (FARs) require federal agencies to include this authority in most procurement documents.
Part IIa
A contractual audit source is common in second- party audits. The source of authority is the signed contract between two parties—the supplier and the cus-tomer. Proprietary processes, such as research and development projects or pro-cesses that are being conducted for a competitor, are defined and are excluded from the concern of the auditor. Access to plant locations is restricted in these cir-cumstances but should be defined in advance.
Standards
National and international management system standards such as ISO 9001 require internal audits to be performed. These standards may be followed voluntarily or may be imposed by contract or regulation.
Industry standards are written to clarify, amplify, and, in some cases, limit fed-eral regulations. For example, in the pharmaceutical industry, voluntary industry associations such as the Advanced Medical Technology Association (AdvaMed) have developed standards that may be used as the basis for internal audits. After an industry has demonstrated that voluntary standards are working, the best prac-tices may be incorporated into federal regulations. However, industry standards are not regulatory documents.
Normally, the requirements of the standards are incorporated into or inter-preted by the company’s internal documents. The policies and procedures might include the authority to audit the organization and a reminder to managers that they are to cooperate with the auditors. Also, procedures implemented as a result of a national/international standard may provide guidance on how the audit pro-gram will be managed and how audits are conducted.
Regulatory
International, federal, or state law may be the source of requirements in certain regulated industries. Within the United States, these regulations are derived from laws passed by Congress and interpreted by the Code of Federal Regulations pro-mulgated by the authorized agency. The courts have enforced and reinforced the rights of regulatory bodies to conduct inspections and audits of organizations to monitor their compliance with the law. Regulatory bodies include organizations that oversee safety, health, and environmental laws, such as OSHA, the FDA, the FAA, the DOE, and the EPA.