Monday, 22 November 2010

A Guide to Auditing Top Management and the Internal Audit

A Guide to Auditing Top Management and the Internal Audit

Organizations must audit the processes associated with top management as part of an effective internal audit program. These processes include those relating to strategic planning, the establishment of policies and objectives, ensuring effective communication and ensuring the availability of resources.

Auditing top management is often seen as a sensitive issue but by considering each top management activity as a normal organizational process, it becomes much easier to focus on determining whether the outputs of their activities are effective.

How to Audit Top Management

By using a formal risk-based approach to internal audit planning, as required by ISO 9001, auditors have a great opportunity to engage top management in the audit process. By making top management part of the planning process and by giving them ownership of the areas to be audited, the internal audit becomes a valuable mechanism for development.

A good starting point is to copy, into the audit checklist, all requirements from the standard that say ‘top management shall’, almost every clause of section 5 starts with ‘top management shall’ and it’s the auditors job to find if top management ‘did’. The audit checklist must cover the requirements from the following sections:

5.1 Management Commitment
5.2 Customer Focus
5.3 Quality Policy
5.4.1 Quality Objectives
5.4.2 Quality Management System Planning
5.5.1 Responsibility and Authority
5.5.2 Management Representative
5.5.3 Internal Communication
5.6 Management Review
5.6.1 General

During the Internal Audit

When undertaking the internal audit of top management, the auditor should collect and corroborate evidence of top management’s commitment from within the quality management system itself. The auditor should ask how the quality manual addresses management commitment issues and ask how they are accomplished; then, the auditor must find objective evidence that proves it’s actually being done. This method applies to top management as well as the production machinist, and everyone else in the organization for that matter!

If the standard, documented procedures, policies and objectives are audit inputs, then the evidence sampled and the interview statements made by top management auditees are the audit outputs. If the input does not align with the expected output, the auditor simply states this misalignment as a non-conformance whilst providing an audit trail to the supporting evidence.

Final Reporting

Auditors should prepare the internal audit report in a manner appropriate for presentation to top management. It might be necessary to present the executive summary of the audit report directly to the top management and other interested parties within the organization. The executive summary must highlight both positive and negative findings and suggest opportunities for improvement.


The ISO 9001 internal audit checklist and gap analysis tool is ideal for organizations that require a quick and affordable approach to developing a reliable framework for their own internal audit process.

Download a free internal audit checklist example courtesy of ISO 9001 Checklist:

Richard Keen ACQI, 18th November 2010

Thursday, 18 November 2010

Choosing your ISO Consultant

Choosing your ISO Consultant

An ISO Consultant has a great deal of influence over the development of an organization’s quality system and many organizations spend a great deal of money using consultants for the sole purpose of helping them achieve ISO 9001 certification.

How can a company have confidence that a consultant is competent and that the organization's needs and expectations will be met?

Evaluating a Consultant

Registering an organization to ISO 9001 does not necessarily prove product quality; it proves that the organization is good at registering. All things being equal, organizations often require an ISO Consultant because they want a specialist; someone who is good at ‘registering’.

We recommend you review ISO 10019:2005; written by Technical Committee 176, titled ‘Guidelines for the Selection of Quality Management System Consultants and use of their Services.’ As the name suggests, this document provides guidance the factors to be taken into consideration when evaluating a quality management system consultant. It applies to the following:

- Organizations who wish to select a consultant
- ISO Consultants themselves, as a guide to develop their competence in consulting
- Consulting organizations, for selection of consultants

Selection Criteria

Some might argue that the ISO Consultant is merely a ‘supplier’ and should therefore be subject to ‘normal’ supplier evaluation and selection controls. Many organizations operate defined criteria for product and service suppliers but the ISO Consultant is rarely subject to the same controls which he is often responsible for implementing. Very few organizations are likely to operate a supplier evaluation process that retains approval records for their chosen consultant.

Deciding which Consultant to Hire

Always ask for references, these will allow you to determine how the ISO Consultant handled similar implementation scenarios. References usually say a lot about a consultant’s ability to deliver. You can use the questions below as a basis for developing your own formal evaluation process. Why not make it official and add the selected consultants to the approved supplier list?

- What were the outcomes of previous consulting engagements?
- Does the consultant operate a fixed way of doing things?
- Has the consultant undergone peer assessment through a professional association?
- Have they demonstrated the ability to complete assignments on budget and on time?
- Are they open to learning how your organization operates?
- Does the consultant’s experience match your implementation requirements?

If you are unsatisfied with the responses to any of these questions, ask the consultant to provide additional information. Any ISO Consultant worth their salt would rather put in additional effort than leave a client unsatisfied!

Once all the options have been considered, ask the consultant to submit a formal proposal that outlines their implementation strategy. Review the proposal with the consultant and resolve any queries you may have. Sections of the proposal may have to be rewritten to provide the desired level of assurance and to provide greater clarity. Accept the proposal only when you thoroughly understand its implications.


ISO 9001 Checklist has grown from a project started in 2002 by ISO Auditors and Quality Manager Trainers to freely share their knowledge and experience with the ISO community online. The free ISO 9001 training section is an essential resource for any organization or ISO consultant aiming to achieve ISO 9001:2008 accreditation through PDCA.

To learn more about free online ISO 9001 training please visit ISO 9001 Checklist:

Richard Keen ACQI, 17th November 2010

Friday, 12 November 2010

Getting the most out of the Document Control Procedure

Getting the most out of the Document Control Procedure

The ISO 9001:2008 quality management standard requires the implementation of six mandatory procedures. One of these mandatory procedures is the document control procedure (4.2.3) and the other is the record control procedure (4.2.4). The first step in implementing these procedures requires an understanding of the difference between the words `document’ and `record’, as well as the standard’s intent behind their application.

Defining Documents

ISO 9000:2005 Fundamentals and Vocabulary defines a document as being information, such as specifications or procedures and its supporting medium e.g. paper or electronic. The implication is that documents change and naturally evolve as new data replenishes existing data and it is this evolution and distribution that the document control procedure must effectively manage. Remember; information is an organizational asset.

The document control procedure must state how the following requirements are to be realised:

- How documents are approved for suitability prior to use
- How documents are reviewed and updated
- How to identify the correct versions of documents
- How the correct versions of documents will be accessed
- How legibility is ensured
- How external documents are controlled and distributed
- How to prevent unintended use

Defining Records

A record, on the other hand is static as its primary purpose is to capture historical information which does not undergo change. Records capture the results of activities performed in support of the quality management system; including, among others, the outputs from the product realisation process, measurement analysis and improvement processes. They should be considered as a primary source of evidence that proves whether an activity was undertaken in accordance the necessary requirements.

The record control procedure must define the controls needed to:

- Identify and access records
- How records are stored and for how long
- How records are protected in order remain legible
- How records are retrieved for use
- How records should be disposed of

The Document Control Procedure and the Certification Process

Having understood the difference between records and documents, the next important point to keep in mind is the importance of the document control procedure and its relationship to the ISO 9001 certification process. To understand the relationship and the need for a document control procedure, it is important to remember that the last step in the ISO 9001 certification process is the certification body audit. So, what is audited? Obviously, it is the records and documents themselves that are audited. Hence organizations which have made the effort to preserve records and to manage documents will have already taken some vital steps in their certification journey.


When going for ISO 9001 certification, it is important that the document control procedure ensures that all documents are compliant with Clause 4.2. This function should be an integral part of the quality management system.

Download a free document control procedure example here:

Richard Keen ACQI, 12th November 2010

Wednesday, 10 November 2010

ISO 9001 Training

ISO 9001 Training

ISO 9001 is a quality management standard which is often implemented by organizations as a means to differentiate themselves from the competition and to carve a larger niche for themselves as quality discerning companies. As a standard which immediately elevates organizational positioning, most organizations seek ISO 9001 certification. But what is revealing, is the fact that while in 2010, certifications hit the one million mark, the percentage increase in ISO 9001 registrations annually is still in single digit numbers, i.e., 8% increase in new registrations compared with 3% increase in 2008 indicates the fact that many organizations are not ready to seek certification (Source:

Barriers to Certification

What stops these organizations from seeking certification is debatable, but one good guess is the `fear of the unknown’. Anything to do with quality certification, immediately spells processes. Organisations fear non-compliance and the effort required to become compliant. Those organisations which decide to go for certification generally entrust the job to external consultants.
Reliable ISO 9001 Training

Having been in this business for more than eight years, ISO 9001 Checklist believes that any organisation can go for certification and all that is required is the belief that this can be achieved without resorting to costly consultants. Once the organization is convinced that it would like to go for certification, then a simple ISO 9001 training program is all that is required to understand the nuances behind the certification process.

About ISO 9001 Checklist’s ISO 9001 Training Program

The ISO 9001 training program is based on the simple PDCA cycle principle, P- Plan, D- Do, C- Check and A- Act. Planning the quality requirements to produce outputs which will align to ISO 9001 certification is the first stage of the training. With a plan in place, performing day-to-day activities becomes really simple and the training helps to draw up the processes and checkpoints required for certification. The training’s third step involves checking the results and this is the fun part as you actually get to see the results of your work. The last stage is to improve, and act upon those areas which require work.

Therefore, the ISO 9001 training program instead of being a `stand-alone’ set of dictatorial rules is created to align itself to individual organizations. This makes it easy for organizations to identify the necessary steps and processes. More importantly the ISO 9001 training program helps organizations to realise the value of implementing these quality processes, as day-to-day activities become well defined, meaningful and well thought out.

The Effectiveness of Training

It is certain that every element of standard has its own inherent training requirements. The ISO 9001 training requirements should be designed to meet continual improvement in the quality of the end product. The standard emphasizes that employee training and should make them skillful and knowledgeable in performing their roles. Thus, the training modules should be targeted such that all processes meet product specifications and be in accordance with ISO 9001 requirements.


ISO 9001 Checklist has grown from a project started in 2002 by ISO Auditors and Quality Manager Trainers to freely share their knowledge and experience with the ISO community online. The free ISO 9001 training section is an essential resource for any organization aiming to achieve ISO 9001:2008 accreditation through PDCA.
To learn more about free online ISO 9001 training please visit ISO 9001 Checklist:

Richard Keen ACQI, 10th November 2010