TUV INDIA TRAINING ACADEMY

situations, the organization can decide whether or not it is necessary or appropriate to maintain
documented information.

List of the documents to be maintained (documentation)

S. No. Clause Requirement Statement

no.
1. 4.3 The scope of the organization’s quality management system shall be
available and be maintained as documented information.
2. 4.4.2 a To the extent necessary, the organization shall maintain documented
information to support the operation of its processes
3 5.2.2 a The quality policy shall be available and be maintained as documented
information;
4 6.2.1 The organization shall maintain documented information on the quality
objectives
5 8.1 The organization shall plan, implement and control the processes (see
4.4) needed to meet the requirements for the provision of products and
services, and to implement the actions determined in Clause 6, by
determining and keeping documented information to the extent
necessary:
6 8.3.2 j In determining the stages and controls for design and development, the
organization shall consider the documented information needed to
demonstrate that design and development requirements have been met.
7 8.5.1 a The organization shall implement production and service provision under
controlled conditions.
Controlled conditions shall include, as applicable:
a) the availability of documented information that defines:
1) the characteristics of the products to be produced, the services to be
provided, or the activities to be performed;
2) the results to be achieved;
8 9.2.2 plan, establish, implement and maintain an audit programme(s) including
the frequency, methods, responsibilities, planning requirements and
reporting, which shall take into consideration the importance of the
processes concerned, changes affecting the organization, and the
results of previous audits;

List of the documents to be retained (records)

QMS IA ( 01-002) Rev 06 May 2022 Page 16 of 42

 TUV INDIA TRAINING ACADEMY

S. No. Clause Requirement Statement

no.
1 4.4.2 b To the extent necessary, the organization shall retain documented
information to have confidence that the processes are being carried out as
planned.
2 7.1.5.1 The organization shall retain appropriate documented information as
evidence of fitness for purpose of the monitoring and measurement
resources.
3 7.1.5.2 The basis used for calibration or verification shall be retained as documented
information;
4 7.2 d The organization shall retain appropriate documented information as
evidence of competence.
5 8.1 e The organization shall plan, implement and control the processes (see 4.4)
needed to meet the requirements for the provision of products and services,
and to implement the actions determined in Clause 6, by determining and
keeping documented information to the extent necessary to have confidence
that the processes have been carried out as planned to demonstrate the
conformity of products and services to their requirements.
6 8.2.3.2. The organization shall retain documented information, as applicable:
a) on the results of the review
b) on any new requirements for the products and services.
7 8.3.3. Rretain documented information on design and development inputs.
8 8.3.4 D. & D. reviews, D. & D. verification, D. & D. validation
documented information of these activities is retained.
9 8.3.5 Retain documented information on design and development outputs
10 8.3.6 Retain documented information on:
a) design and development changes; b) the results of reviews; c) the
authorization of the changes; d) the actions taken to prevent adverse
impacts.
11 8.4.1 Retain documented information of selection, evaluation, monitoring
performance of external providers and any necessary actions arising from
the evaluations
12 8.5.2 Retain the documented information necessary to enable traceability.
13 8.5.3 When the property of a customer or external provider is lost, damaged or
otherwise found to be unsuitable for use, retain documented information on
what has occurred.
14 8.5.6 Retain documented information describing the results of the review of
changes, the person(s) authorizing the change, and any necessary actions
arising from the review.
15 8.6 Retain documented information on the release of products and services.

16 8.7.2 The organization shall retain documented information that:

a) describes the nonconformity; b) describes the actions taken; c) describes
any concessions obtained; d) identifies the authority deciding the action in
respect of the nonconformity
17 9.1.1 Retain documented information as evidence of the results of monitoring,
measurement, analysis & evaluation
18 9.1.2 Retain documented information as evidence of the results of customer
satisfaction.
19 9.1.3 Retain documented information as evidence of the results of analysis &
evaluation.
20 9.2.2 retain documented information as evidence of the implementation of the
audit program and the audit results.
21 9.3.3 Retain documented information as evidence of the results of management
reviews.
22 10.2.2. The organization shall retain documented information as evidence of:

QMS IA ( 01-002) Rev 06 May 2022 Page 17 of 42

 TUV INDIA TRAINING ACADEMY
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.

What should the organizations do next?

There are many changes currently included in the revision to ISO 9001:2015; whether these
translate into a need for an organisation to change its management system is a more difficult
question to answer. The degree of change necessary will depend on how an organization has
developed and uses its existing management system. Consideration needs to be given to :
a] whether its ISO 9001:2008 is limited to strictly meeting the requirements as specified in the
standard or
b] whether it has systems and processes in place that, while not specifically required in ISO
9001:2008, are viewed as management best practice and may be contained in other MSS, such
as ISO 14001 (Environmental Management System) or BS OHSAS 18001 (Occupational Health
& Safety Management System or ISO 45001).

An organisation’s current evaluation and management of risk will also heavily influence the
degree of change that an organisation will need to undertake in order to meet these future
requirements of ISO 9001:2015. Against this backdrop, there are four main steps that
organizations should be considering:

1. Focus on the areas that are completely new or have been revised. Those are the areas that
are likely to be included in your transition plan. Also, make sure that quality managers and
internal auditors understand the differences that Annex SL will bring to your QMS and any other
management system standards in your organization.

2.. Engage your certification body to find out how a gap analysis and training on specific areas of
ISO 9001:2015 can benefit you personally, as well as your organization.

3. Begin formalizing a transition plan and process and ensure that top management is involved
from the start.

Given that there is a three-year transition period from the date the new standard is published, this
timeframe will allow organizations to change at a pace suited to them, which may typically involve
one certification cycle.

Key Terms and Definitions as referred in ISO 9000 : 2015

top management

person or group of people who directs and controls an organization at the highest level.

involvement

taking part in an activity, event or situation.

engagement

involvement in, and contribution to, activities to achieve shared objectives.

organization

person or group of people that has its own functions with responsibilities, authorities and
relationships to achieve its objectives.

QMS IA ( 01-002) Rev 06 May 2022 Page 18 of 42

 TUV INDIA TRAINING ACADEMY

context of the organization

combination of internal and external issues that can have an effect on an organizations’
approach to developing and achieving its objectives .

interested party

stakeholder
person or organization that can affect, be affected by, or perceive itself to be
affected by a decision or activity.

continual improvement
recurring activity to enhance performance.

process

set of interrelated or interacting activities that use inputs to deliver an intended result.

project

unique process, consisting of set of coordinated and controlled activities with start and
finish dates, undertaken to achieve an objective conforming to specific requirements,
including the constraints of time, cost and resources.

procedure

specified way to carry out an activity or a process.

outsource (verb)
make an arrangement where an external organization performs part of an
organization’s function or process.

system
set of interrelated or interacting elements.

management system
set of interrelated or interacting elements of an organization to establish policies and
objectives and processes to achieve those objectives.

quality management system

part of management system with regard to quality.

policy
intentions and direction of an organization, as formally expressed by its top management.

QMS IA ( 01-002) Rev 06 May 2022 Page 19 of 42

 TUV INDIA TRAINING ACADEMY
quality policy
policy related to quality.

strategy
plan to achieve a long-term or overall objective.

quality
degree to which a set of inherent characteristics of an object fulfills requirements.

requirement
need or expectation that is stated, generally implied or obligatory.

nonconformity
non-fulfilment of a requirement.

objective
result to be achieved.

performance
measurable result.

risk
effect of uncertainty.

documented information
information required to be controlled and maintained by an organization and the medium
on which it is contained.

monitoring
determining the status of a system, a process, a product, a service or an activity.

measurement
process to determine a value.

preventive action
action to eliminate a cause of a potential nonconformity or other potential undesirable
situation.

corrective action
action to eliminate a cause of a nonconformity and to prevent recurrence.

correction
action to eliminate a detected nonconformity.

audit
systematic, independent and documented process for obtaining objective evidence and
evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

QMS IA ( 01-002) Rev 06 May 2022 Page 20 of 42

 TUV INDIA TRAINING ACADEMY

Chapter 7
Management Systems Auditing
ISO 9001 standards emphasize importance of audits as a management tool for monitoring &
verifying the effective implementation of organization’s quality management system. Audits are also
an essential part of conformity assessment activities such as external certification and of supply
chain evaluation & surveillance.

This manual provides general guidance on management of audit programs, the conduct of internal
or external audits of quality management system as well as competence & evaluation of auditors.

DEFINITON OF AUDIT

ISO 19011 defines audit as: -

A systematic, independent and documented process for obtaining objective evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled.

OTHER DEFINITIONS

Objective Evidence
“data supporting the existence or verity of something”

 Objective evidence can be obtained through observation, measurement, test, or by other

means.
 Objective evidence for the purpose of audit generally consists of records, statements of
fact or other information which are relevant to the audit criteria and verifiable.

Audit Criteria
Set of requirements used as a reference against which objective evidence is compared.

PRINCIPLES OF AUDITING

a. Integrity : The foundation of professionalism.

honesty, responsibility, demonstrate competence, impartial, sensitive to any influence etc.
b. Fair presentation : The obligation to report truthfully & accurately.
Truthful reporting of audit findings & audit conclusion. Significant obstacles encountered during
the audit and unresolved diverging opinions between the auditee & audit team are reported.
c. Due professional care : Application of diligence & judgment in auditing.
Auditors exercise care in accordance with the importance the task they perform & the confidence
placed in them by auditee organization.
d. Confidentiality : Security of Information
e. Independence : basis for the impartiality of the audit & objectivity of audit conclusion.
The auditors remain independent of the area under audit & are free from bias & conflict of
interest.
f. Evidence based approach : the rational method for reaching reliable & reproducible audit
conclusions in a systematic audit process.
g. Risk-based approach : An audit approach that considers risks and opportunities - The risk-
based approach should substantively influence the planning, conducting and reporting of
audits.

QMS IA ( 01-002) Rev 06 May 2022 Page 21 of 42

 TUV INDIA TRAINING ACADEMY

BENEFITS OF AN INTERNAL AUDIT

 Strong evidence of demonstrating conformity to Clause 9.2,

 Important management tool to continual improvement
 Important input to management review,
 Helps organization's functions / people to assess their own performance.
 Richer in content/details since focused on company specific needs,
 Helps in assuring involvement of people.

ISSUES OF INTERNAL AUDIT

 Hierarchy
 Lack of transparency
 Egos
 Auditor gets a limited view

TYPES OF AUDITS
a) Internal Audit

First Party Audit

The audit carried out by the organization on their own system. The purpose of such audit is to
provide confidence to own management

b) External Audit

Second Party Audit

The audit conducted by customer or by organization on their suppliers. The purpose of such audit
is supplier evaluation.

Third Party Audit

The audit conducted by independent certification agency for certification purpose

QMS IA ( 01-002) Rev 06 May 2022 Page 22 of 42

 TUV INDIA TRAINING ACADEMY

MANAGING AUDIT PROGRAMME

ISO 19011 defines Audit Programme as :

Arrangements for a set of one or more audits planned for a specific time frame and
directed towards a specific purpose

ISO 9001 Clause 9.2.2 requires organization to plan, establish & implement an
‘audit programme’ which must include :
• Frequency
• Methods
• Resources
• Responsibilities
• Scope of each audit within the audit program
• Audit criteria
• Audit type
• Criteria for selecting audit team
• Relevant documented information

TYPICAL INTERNAL AUDIT PROGRAMME

Department Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec
Top AP
management
Design AP AAP AAP
Planning AP AAP
Marketing & AP AAP
Sales
Manufacturing AAP AP AAP
Laboratory AAP AP AAP
Warehousing AAP AP
Distribution AAP AP
Calibration AAP AAP AP

AP : Audits planned once a year

AAP : Additional Audits Planned considering importance & previous audit results

Methods Resources Responsibility Criteria Audit type

On/Off site Competent Audit program ISO 9001, Internal,
Interviews / auditors manager Quality Outsourced
observations / manual,
documented Procedures
info.

QMS IA ( 01-002) Rev 06 May 2022 Page 23 of 42

 TUV INDIA TRAINING ACADEMY

AUDIT PROGRAMME RISKS

Sr. No. Audit Programme information Associated risk

1 Planning failure to set relevant audit objectives and
determine the extent, number, duration,
locations and schedule of the audits
2 Resources allowing insufficient time, equipment and/or
training for developing the audit programme or
conducting an audit
3 Audit team selection insufficient overall competence to conduct audits
effectively
4 Communication ineffective external / internal communication
processes / channels
5 Implementation of A.P. ineffective coordination of the audits within the
audit programme, or not considering information
security and confidentiality
6 Control of documented info. ineffective determination of the necessary
documented information required by auditors
and relevant interested parties, failure to
adequately protect audit records to demonstrate
audit programme effectiveness;
7 Monitoring, reviewing & ineffective monitoring of audit programme
improving A.P. outcomes
8 Auditee Availability & cooperation
9 Evidences Availability

AUDIT PROGRAMME OPPORTUNITIES

Opportunities for improving the audit programme can include:

 allowing multiple audits to be conducted in a single visit

 minimizing time and distances travelling to site
 matching the level of competence of the audit team to the level of competence needed to
achieve the audit objectives
 aligning audit dates with the availability of auditee’s key staff.

AUDIT OBJECTIVES

 Determination of extent of conformity with audit criteria,

 Evaluation of capability of QMS to ensure compliance to statutory, regulatory & other
committed requirements,
 Evaluation of effectiveness of QMS in meeting intended results,
 Evaluation of the suitability and adequacy of the management system with respect to the
context and strategic direction of the auditee,
 Evaluation of the capability of the management system to establish and achieve
objectives and effectively address risks and opportunities, in a changing context,
including the implementation of the related actions.
 Identification of areas for potential improvements.

QMS IA ( 01-002) Rev 06 May 2022 Page 24 of 42