Monday, 22 November 2010

A Guide to Auditing Top Management and the Internal Audit

A Guide to Auditing Top Management and the Internal Audit

Organizations must audit the processes associated with top management as part of an effective internal audit program. These processes include those relating to strategic planning, the establishment of policies and objectives, ensuring effective communication and ensuring the availability of resources.

Auditing top management is often seen as a sensitive issue but by considering each top management activity as a normal organizational process, it becomes much easier to focus on determining whether the outputs of their activities are effective.

How to Audit Top Management

By using a formal risk-based approach to internal audit planning, as required by ISO 9001, auditors have a great opportunity to engage top management in the audit process. By making top management part of the planning process and by giving them ownership of the areas to be audited, the internal audit becomes a valuable mechanism for development.

A good starting point is to copy, into the audit checklist, all requirements from the standard that say ‘top management shall’, almost every clause of section 5 starts with ‘top management shall’ and it’s the auditors job to find if top management ‘did’. The audit checklist must cover the requirements from the following sections:

5.1 Management Commitment
5.2 Customer Focus
5.3 Quality Policy
5.4.1 Quality Objectives
5.4.2 Quality Management System Planning
5.5.1 Responsibility and Authority
5.5.2 Management Representative
5.5.3 Internal Communication
5.6 Management Review
5.6.1 General

During the Internal Audit

When undertaking the internal audit of top management, the auditor should collect and corroborate evidence of top management’s commitment from within the quality management system itself. The auditor should ask how the quality manual addresses management commitment issues and ask how they are accomplished; then, the auditor must find objective evidence that proves it’s actually being done. This method applies to top management as well as the production machinist, and everyone else in the organization for that matter!

If the standard, documented procedures, policies and objectives are audit inputs, then the evidence sampled and the interview statements made by top management auditees are the audit outputs. If the input does not align with the expected output, the auditor simply states this misalignment as a non-conformance whilst providing an audit trail to the supporting evidence.

Final Reporting

Auditors should prepare the internal audit report in a manner appropriate for presentation to top management. It might be necessary to present the executive summary of the audit report directly to the top management and other interested parties within the organization. The executive summary must highlight both positive and negative findings and suggest opportunities for improvement.


The ISO 9001 internal audit checklist and gap analysis tool is ideal for organizations that require a quick and affordable approach to developing a reliable framework for their own internal audit process.

Download a free internal audit checklist example courtesy of ISO 9001 Checklist:

Richard Keen ACQI, 18th November 2010

Thursday, 18 November 2010

Choosing your ISO Consultant

Choosing your ISO Consultant

An ISO Consultant has a great deal of influence over the development of an organization’s quality system and many organizations spend a great deal of money using consultants for the sole purpose of helping them achieve ISO 9001 certification.

How can a company have confidence that a consultant is competent and that the organization's needs and expectations will be met?

Evaluating a Consultant

Registering an organization to ISO 9001 does not necessarily prove product quality; it proves that the organization is good at registering. All things being equal, organizations often require an ISO Consultant because they want a specialist; someone who is good at ‘registering’.

We recommend you review ISO 10019:2005; written by Technical Committee 176, titled ‘Guidelines for the Selection of Quality Management System Consultants and use of their Services.’ As the name suggests, this document provides guidance the factors to be taken into consideration when evaluating a quality management system consultant. It applies to the following:

- Organizations who wish to select a consultant
- ISO Consultants themselves, as a guide to develop their competence in consulting
- Consulting organizations, for selection of consultants

Selection Criteria

Some might argue that the ISO Consultant is merely a ‘supplier’ and should therefore be subject to ‘normal’ supplier evaluation and selection controls. Many organizations operate defined criteria for product and service suppliers but the ISO Consultant is rarely subject to the same controls which he is often responsible for implementing. Very few organizations are likely to operate a supplier evaluation process that retains approval records for their chosen consultant.

Deciding which Consultant to Hire

Always ask for references, these will allow you to determine how the ISO Consultant handled similar implementation scenarios. References usually say a lot about a consultant’s ability to deliver. You can use the questions below as a basis for developing your own formal evaluation process. Why not make it official and add the selected consultants to the approved supplier list?

- What were the outcomes of previous consulting engagements?
- Does the consultant operate a fixed way of doing things?
- Has the consultant undergone peer assessment through a professional association?
- Have they demonstrated the ability to complete assignments on budget and on time?
- Are they open to learning how your organization operates?
- Does the consultant’s experience match your implementation requirements?

If you are unsatisfied with the responses to any of these questions, ask the consultant to provide additional information. Any ISO Consultant worth their salt would rather put in additional effort than leave a client unsatisfied!

Once all the options have been considered, ask the consultant to submit a formal proposal that outlines their implementation strategy. Review the proposal with the consultant and resolve any queries you may have. Sections of the proposal may have to be rewritten to provide the desired level of assurance and to provide greater clarity. Accept the proposal only when you thoroughly understand its implications.


ISO 9001 Checklist has grown from a project started in 2002 by ISO Auditors and Quality Manager Trainers to freely share their knowledge and experience with the ISO community online. The free ISO 9001 training section is an essential resource for any organization or ISO consultant aiming to achieve ISO 9001:2008 accreditation through PDCA.

To learn more about free online ISO 9001 training please visit ISO 9001 Checklist:

Richard Keen ACQI, 17th November 2010

Friday, 12 November 2010

Getting the most out of the Document Control Procedure

Getting the most out of the Document Control Procedure

The ISO 9001:2008 quality management standard requires the implementation of six mandatory procedures. One of these mandatory procedures is the document control procedure (4.2.3) and the other is the record control procedure (4.2.4). The first step in implementing these procedures requires an understanding of the difference between the words `document’ and `record’, as well as the standard’s intent behind their application.

Defining Documents

ISO 9000:2005 Fundamentals and Vocabulary defines a document as being information, such as specifications or procedures and its supporting medium e.g. paper or electronic. The implication is that documents change and naturally evolve as new data replenishes existing data and it is this evolution and distribution that the document control procedure must effectively manage. Remember; information is an organizational asset.

The document control procedure must state how the following requirements are to be realised:

- How documents are approved for suitability prior to use
- How documents are reviewed and updated
- How to identify the correct versions of documents
- How the correct versions of documents will be accessed
- How legibility is ensured
- How external documents are controlled and distributed
- How to prevent unintended use

Defining Records

A record, on the other hand is static as its primary purpose is to capture historical information which does not undergo change. Records capture the results of activities performed in support of the quality management system; including, among others, the outputs from the product realisation process, measurement analysis and improvement processes. They should be considered as a primary source of evidence that proves whether an activity was undertaken in accordance the necessary requirements.

The record control procedure must define the controls needed to:

- Identify and access records
- How records are stored and for how long
- How records are protected in order remain legible
- How records are retrieved for use
- How records should be disposed of

The Document Control Procedure and the Certification Process

Having understood the difference between records and documents, the next important point to keep in mind is the importance of the document control procedure and its relationship to the ISO 9001 certification process. To understand the relationship and the need for a document control procedure, it is important to remember that the last step in the ISO 9001 certification process is the certification body audit. So, what is audited? Obviously, it is the records and documents themselves that are audited. Hence organizations which have made the effort to preserve records and to manage documents will have already taken some vital steps in their certification journey.


When going for ISO 9001 certification, it is important that the document control procedure ensures that all documents are compliant with Clause 4.2. This function should be an integral part of the quality management system.

Download a free document control procedure example here:

Richard Keen ACQI, 12th November 2010

Wednesday, 10 November 2010

ISO 9001 Training

ISO 9001 Training

ISO 9001 is a quality management standard which is often implemented by organizations as a means to differentiate themselves from the competition and to carve a larger niche for themselves as quality discerning companies. As a standard which immediately elevates organizational positioning, most organizations seek ISO 9001 certification. But what is revealing, is the fact that while in 2010, certifications hit the one million mark, the percentage increase in ISO 9001 registrations annually is still in single digit numbers, i.e., 8% increase in new registrations compared with 3% increase in 2008 indicates the fact that many organizations are not ready to seek certification (Source:

Barriers to Certification

What stops these organizations from seeking certification is debatable, but one good guess is the `fear of the unknown’. Anything to do with quality certification, immediately spells processes. Organisations fear non-compliance and the effort required to become compliant. Those organisations which decide to go for certification generally entrust the job to external consultants.
Reliable ISO 9001 Training

Having been in this business for more than eight years, ISO 9001 Checklist believes that any organisation can go for certification and all that is required is the belief that this can be achieved without resorting to costly consultants. Once the organization is convinced that it would like to go for certification, then a simple ISO 9001 training program is all that is required to understand the nuances behind the certification process.

About ISO 9001 Checklist’s ISO 9001 Training Program

The ISO 9001 training program is based on the simple PDCA cycle principle, P- Plan, D- Do, C- Check and A- Act. Planning the quality requirements to produce outputs which will align to ISO 9001 certification is the first stage of the training. With a plan in place, performing day-to-day activities becomes really simple and the training helps to draw up the processes and checkpoints required for certification. The training’s third step involves checking the results and this is the fun part as you actually get to see the results of your work. The last stage is to improve, and act upon those areas which require work.

Therefore, the ISO 9001 training program instead of being a `stand-alone’ set of dictatorial rules is created to align itself to individual organizations. This makes it easy for organizations to identify the necessary steps and processes. More importantly the ISO 9001 training program helps organizations to realise the value of implementing these quality processes, as day-to-day activities become well defined, meaningful and well thought out.

The Effectiveness of Training

It is certain that every element of standard has its own inherent training requirements. The ISO 9001 training requirements should be designed to meet continual improvement in the quality of the end product. The standard emphasizes that employee training and should make them skillful and knowledgeable in performing their roles. Thus, the training modules should be targeted such that all processes meet product specifications and be in accordance with ISO 9001 requirements.


ISO 9001 Checklist has grown from a project started in 2002 by ISO Auditors and Quality Manager Trainers to freely share their knowledge and experience with the ISO community online. The free ISO 9001 training section is an essential resource for any organization aiming to achieve ISO 9001:2008 accreditation through PDCA.
To learn more about free online ISO 9001 training please visit ISO 9001 Checklist:

Richard Keen ACQI, 10th November 2010

Monday, 8 November 2010

ISO 9001 and the Quality Manual Template

ISO 9001 and the Quality Manual Template

Clause 4.2.2 of ISO 9001:2008 specifies the minimum content of the quality manual but it does not specify the format and structure. This is a decision that must be made by each organization during the planning and implementation phase and will often depend on the organization’s size, culture and industry. A quality manual template can help by providing a fundamental framework for documenting how an organization meets the requirements of ISO 9001. Without a template, the development of the quality manual can easily lose focus and direction.

Advantages of Using a Quality Manual Template

Many organizations find the task of implementing ISO 9001:2008 difficult as they simply don’t understand where to begin. A quality manual template can make it easy for any organization to prepare a compliant quality manual whilst offering the following advantages:

- Fully editable and customisable
- Viable alternative to using consultants
- Cost effective solution to implementation
- Saves manpower and resources
- Reduce overall development time

Components of the Quality Manual

ISO 9001:2008 provides guidelines of how organizations should endeavour to meet customer requirements and achieve satisfaction by maintaining a consistent quality practice. ISO 9001 has many requirements that, when taken together, provide assurance that a system's output will meet customer requirements. Based on these fundamental requirements, the quality manual template must address, among others, the following:

- How the quality system interacts with business processes
- What the documentation requirements are
- How management responsibility is manifested and communicated
- What the organization’s quality policy is and how it is deployed
- What the organization’s quality objectives are and how they reflect the quality policy
- How resources are managed
- How management reviews are undertaken
- How product realization leads to customer satisfaction
- How product and service provision is planned
- How the organization collects and analyses data
- How non-conformances are addressed
- How corrective and preventive actions are instigated
- How continual improvement is implemented

There is no requirement that changes to the quality manual be reviewed during management reviews but they do need to be reviewed and approved by the relevant personnel specified in your document control procedure.


Overall, ensure the quality manual template is able to describe how your organization delivers a conforming product or service to your customers. The standard requires it, and the credibility of your ISO 9001 registration demands it. Remember, the output of your quality management system is what matters to your customers!

Please download a free quality manual template example here:

Richard Keen ACQI, 8th November 2010

Tuesday, 2 November 2010

Using your ISO 9001 Audit Checklist

Using your ISO 9001 Audit Checklist

Whether an organization is implementing ISO 9001:2008 or just improving their quality management system, they will undoubtedly need to review and analyse their current systems and processes in order to identify gaps in compliance. Gap analysis requires that organizations review their existing processes, procedures and documentation, etc. The framework for this review technique is often provided in the format of an ISO 9001 audit checklist which many organizations and auditors consider to be an indispensable tool that actively supports the audit process.

The Advantages of the ISO 9001 Audit Checklist

Regular internal audits are carried out to ensure compliance is maintained and the ISO 9001 audit checklist comes in handy for this purpose. This is just one of many tools that are available from the auditors’ toolbox that help ensure the audit addresses the necessary requirements. It stands as a reference point before, during and after the audit process and if developed for a specific audit and used correctly will provide the following benefits:

- Ensures the audit is conducted systematically
- Promotes audit planning
- Ensures a consistent audit approach
- Actively supports the organization’s audit process
- Serves as an aide memoire
- Provides a repository for notes collected during the audit process
- Ensures uniformity in the performance of different auditors
- Provides objective evidence

Structuring the Audit Checklist

One of the simplest methods of structuring the ISO 9001 audit checklist is by taking the applicable requirements from an organization’s policies, procedures and of course, from the standard itself, and turning each requirement into a question. Be sure to include the ‘organization shall’ requirements as well.

Add a section for comments, add check boxes for compliant or non-compliant and you can even add a column to note objective evidence and to provide an audit trial. Each element of the audit process should have customized checklists to serve as documentation outputs from the audit process itself.

This type of approach is primarily utilised by external auditors, including registration and certification body auditors, but the technique can equally be applied by any organization actively seeking to enhance their audit process.

Adding Value to the Checklist

Organizations should assess the potential value that the ISO 9001 audit checklist can bring in helping their audit process to develop. It’s worth remembering that a good checklist is no substitute for an enquiring mind and a good questioning technique.

If an internal auditor uses the checklist to ask narrowly focused questions then little benefit will be derived from the audit. If, on the other hand, the auditors conduct detailed preparation of the requirements of the process they intend to cover during the audit; the checklist then becomes an invaluable output for recording and communicating that preparation work.

Using the ISO 9001 audit checklist should not restrict the scope of audit activities, since that scope may change as a result of information actually collected during the audit. The key to unlocking the checklist’s value is the willingness of the organization to use it as a guide rather than being a slave to it.


The ISO 9001 audit checklist and gap analysis tool is ideal for organizations that require a quick and affordable approach to developing a reliable framework for their internal audit process.

Download a free internal audit checklist example courtesy of ISO 9001 Checklist: