Auditor Guidelines
Auditor Guidelines
Auditor Guidelines
Supporting Inputs
Administration
Receive AAA,
Sign and return to
IMS with audit
report
Operations
Manager
Document
Review
required?
Auditor Appointment
Acknowledgement
(Form 3)
Yes
Send completed
Document review
report to IMS
Receive clients
Documented
Management System
from IMS
No
Operations
Manager
Stage 1, Stage 2,
Surveillance or
Reassessment
Auditor
Auditor
Audits to be
planned and
undertaken in
accordance with
IMS requirements
and provisions of
ISO 19011
Complete Audit
report form
Auditor
Where required,
Auditee send
corrective action
plan to IMS Admin
Administration
IMS Manages
Certification
process
Audit informed of
outcome
Auditor
Undertake Audit
Auditor Requirements
Doc 05 / 13
Page 1 of 15
AUDITOR GUIDELINES
2.1
General
Before undertaking any audit for IMS, an auditor must undertake the following:
Supply a copy of c.v. and all relevant certificates to IMS to enable identification of
competent scope areas;
Complete Form 30, Auditor Competence Record;
Scope Review forms and Risk Assessments completed;
Read the IMS Quality Manual, Quality Policy and relevant IMS Scheme Documents;
Read IMS Auditee Guidelines;
Read IMS procedures for certification, confidentiality and auditor training (Proc 6,
Proc 7 and Proc 11);
Sign Contractor Agreement.
2.2
Competence
All auditors and technical experts used by IMS are regularly monitored, including via
observed assessments, post audit reviews, to ensure continued competence and to
identify training needs. The procedure for this is set out in Proc 11. Auditors are also
required to keep IMS informed of any training they undertake independently, and to
provide copies of certificates as appropriate.
All auditors will be required to have read ISO 19011 (the new guidelines for QMS and/or
EMS auditing), and to have passed an IRCA-registered lead auditor course, or other
relevant training programme. IRCA registration is desirable, though not essential.
Competence requirements for auditors and technical experts have been defined for all
technical areas in which IMS provides certification services. All auditors and technical
experts used by IMS have been assessed in terms of their competence for each
technical area, and auditors and technical experts are assigned with reference to this.
Any concerns of auditors regarding their competence assessment, or their competence
for any specific assignment should be referred to Head Office.
Auditors must have passed and IRCA-Registered Lead Auditor course to ISO 9001:2000
TickIT if auditing under the TickIT scheme, in addition to the competencies stated above
the auditor must also have knowledge of The TickIT Guide.
Auditors for schemes other than ISO 9001 will also need to satisfy any scheme-specific
requirements as detailed in the relevant IMS Scheme Document.
Doc 05 / 13
Page 2 of 15
AUDITOR GUIDELINES
3
Audit Process
3.1
Doc 05 / 13
Page 3 of 15
AUDITOR GUIDELINES
3.2
Document Review
Responsibilities
Supporting Inputs
Auditor
Receive AAA,
Sign and return to
IMS with Audit
Report
Auditor Appointment
Acknowledgement
(Form 3)
Auditor
Receive
Documented
Management
System from IMS
Electronic or Paper
Auditor
Compare against
relevant standards
and guidelines
Auditor
Auditor
Complete Audit
report form
Auditor
NCs Raised?
Form 9A
Send to IMS
Administration
Yes
Auditor
Audit report
should detail NCs
and specify
verification
process
i.e submitting
evidence or closed out
during the audit
No
Auditor
Auditor
Proceed to next
audit as necessary
Doc 05 / 13
Keep IMS
Administration up to
date with progress
Page 4 of 15
AUDITOR GUIDELINES
3.3
Audit Planning
Auditors are responsible for planning audits, and ensuring that the client receives an
audit plan at least 10 working days before the day of the audit. In preparing the audit
plan, the auditor should consider the following:
Initial Audits should cover all relevant aspects of the standard against which the client
is being assessed;
The Visit Planner table within the Audit Report (Form 9) identifies areas of the
relevant standard that must be covered at every surveillance visit;
All other areas of the relevant standard must be covered at least once during the
three-year surveillance cycle;
For Initial Audits, the auditor should use the clients Management System
documentation to identify areas for specific focus, to determine appropriate
timescales and identify relevant people to interview during the audit;
For Surveillance Visits, auditors should consider previous audit reports, including
non-compliances and observations raised, and in particular areas identified for
checking on the Visit Planner table in order to determine areas to focus on during the
audit;
Auditors should also plan the audit to ensure that all relevant parts of the auditees
business covered by the scope and proposed certificate are covered. This should
also take account of multiple locations where appropriate;
The Auditor should send the appropriate completed Audit Plan template (Form 4) to
IMS Administration at least 14 working days before the audit; Administration shall
forward a copy to the client. The plan should, as a minimum, give the proposed
timescales for the audit, identify which areas each auditor will be covering, and give
the auditee a clear idea of which staff will be required and when.
The Audit Plan should be considered as a useful tool for both the audit team and the
auditee, but should not be seen as set in stone. In practice the audit findings and the
auditees working practices are likely to lead to differences in what is seen when.
Audit Plans to use and when:
Form 4A- Stage 1 Assessments
Form 4B- Stage 2 Assessments
Form 4C- Surveillance Visits
Form 4D- Reassessments
The audit plan shall cover the following:
Doc 05 / 13
Audit objectives
Audit scope, including identification of the organisational and functional units and
processes to be audited
The dates and places where the on-site audit activities, including meetings with
the clients management and audit team meetings
Page 5 of 15
AUDITOR GUIDELINES
Doc 05 / 13
The roles and responsibilities of the audit team members and accompanying
persons
Planning and report writing time (should be no greater than 10% (45 minutes for
an 8 hour day) of total audit time (audit day is 8 hours)).
Page 6 of 15
AUDITOR GUIDELINES
3.4
Notes:
1
A non-compliance is a failure to comply with one or more requirements of the relevant standard or the
organisations own procedures, or a situation which raises significant doubt as the capability of the Management
System to achieve the policy and objectives of the organisation.
An observation is an observed fact which whilst not a non-compliance, is felt by the auditor to be a concern or
opportunity for improvement that could benefit from the attention of the Auditee.
Doc 05 / 13
Page 7 of 15
AUDITOR GUIDELINES
3.4.1
The initial certification audit of a management system shall be conducted in two stages: stage 1
and stage 2
Stage 1 audit
The stage 1 audit shall be performed
To audit the clients management system documentation (this can be done off-site,
Contract review will specify);
To review the clients status and understanding regarding requirements to the standard,
in particular with respect to the identification of key performance or significant aspects,
processes, objectives and operation of the management system;
To review the allocation of resources for stage 2 and agree with the client on the details
of the stage 2 audit;
To provide a focus for planning the stage 2 audit by gaining a sufficient understanding of
the clients management system and site operations in the context of possible significant
aspects;
To evaluate if the internal audits and management review are being planned and
performance, and that the level of implementation of the management system
substantiates that the client is ready for the stage 2 audit
Stage 2 audit
The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of
the clients management system. The stage 2 audit shall take place the site(s) of the client. It
shall include at least the following:
Doc 05 / 13
Page 8 of 15
AUDITOR GUIDELINES
Links between the normative requirements, policy, performance objectives and targets
(consistent with the expectations in the applicable management system standard or other
normative document), any applicable legal requirements, responsibilities, competence of
personnel, operations, procedures, performance data and internal audit findings and
conclusions.
Outcome of Audit
The audit team must make a judgement, based on the evidence gathered during the
audit, as to whether the audited system meets the requirements of the relevant standard.
Based on this judgement, a recommendation should be made to the Certification Officer.
This recommendation may be:
(i)
(ii)
(iii)
In the case of (ii) above, the client should be informed at the closing meeting of how
corrective actions are to be verified. This will depend on the judgement of the auditor,
taking the following requirements into consideration:
Doc 05 / 13
Page 9 of 15
AUDITOR GUIDELINES
In all cases, a Corrective Action Plan (Form 10) should be sent to IMS by the Auditee
within 28 days, or an alternative appropriate period as determined by the auditor (no
more than 3 months);
For initial assessments, objective evidence must also be sent to IMS demonstrating
closure of all corrective actions before a certificate is issued;
For surveillance visits, the auditor should determine whether corrective action can be
verified at the next visit, or whether objective evidence should be sent to IMS within a
specified time period. If non-conformances remain open from the previous audit then
objective evidence shall be requested from the client to support their corrective action
plan. If necessary a follow-up visit will also be recommended to verify closure of the
non-conformances;
Auditees will be expected to consider any observations raised by the auditor as part
of their Management Review process or other appropriate mechanism, but will not be
required to take any action, nor to list any actions decided upon on the Corrective
Action Plan.
Page 10 of 15
AUDITOR GUIDELINES
Doc 05 / 13
Page 11 of 15
AUDITOR GUIDELINES
3.8
Audit Reporting
IMS will ensure that all auditors are supplied with up-to-date versions of the Audit Report
Form (Form 9), please ensure that you delete any old versions when issued with new.
Do not use an old copy of the clients audit report and update the information. The
various sections of the Audit Report should be completed as outlined, and in the order
set out below.
Audit Details
Completion of this page should be self-explanatory.
Verification of Closure of Non-Compliances
This page should be used to record evidence of closure of non-compliances from previous visit(s). If
there are no non-compliances to close out, then this should be clearly stated, and the page included in
the audit report.
Summary of Audit Findings & Visit Planner
The number of non-compliances and observations found under each clause of the relevant standard(s)
should be listed on this page(s).
The auditor should also check that customer complaints are being handled appropriately, and that the
IMS and UKAS logo is being used correctly. Non-compliances or observations against either of these
aspects should be recorded in the relevant boxes.
Visit Planner- This table is used to identify which clauses were checked during the audit, and which
clauses should be checked at the next visit (see section 3.3). Any specific areas that should be checked
(e.g. sites, work activities or departments that were considered weak or were not able to be assessed
fully) should also be identified on this table.
Audit Summary
The comments and concerns boxes on this page should always be completed. It is important that
auditors include positive and negative feedback in this section, and highlight aspects of the audited
system that are areas of good practice.
The auditor should also use this page to make a recommendation for or against certification, and to
make clear what follow-up action is required with regard to corrective action, as described in section 3.5.
Any useful comparisons with the results of previous assessments of the system should also be included.
Non-Compliances / Observations Raised
Details of all non-compliances should be listed on this page. The level of detail should be sufficient for
the client to determine effective corrective action, and for the Certification Officer and any future auditor
to determine the severity of the finding and the appropriateness and effectiveness of corrective action
undertaken.
Details of observations should also be listed on this page, in sufficient detail for the client to consider the
finding, and future auditors to re-visit the area.
Findings should be numbered sequentially, and the relevant clause number identified.
If there are no non-compliances or observations raised, then this should be clearly stated, and the page
included in the Audit Report.
Extra pages should be printed off or photocopied as required.
Opening Meeting Mandatory Agenda; Closing Meeting Mandatory Agenda
Completion of these pages should be self-explanatory.
Photo Evidence
This section is optional and is more likely to be used when carrying out environmental and health and
safety audits. Sometimes it is far easier to take a picture than trying to write down detailed information
with regards to audit evidence, especially if it is visual evidence. Always ensure that you ask the client
Doc 05 / 13
Page 12 of 15
AUDITOR GUIDELINES
and/or audit guide if it is acceptable to take photographic evidence and place it within the audit report
prior to taking any pictures. We do not require any specific quality of the photographs as it will not be
used for specific audit evidence and any non-conformances or observations must always be included on
the non-conformance / observation section
Note that Audit Reports and Audit Notes should be written or translated into English.
Audit Reports to use and when:
Form 9A- Document Reviews and Stage 1 Assessments
Form 9B- Stage 2 Assessments
Form 9C- Surveillance Visits and Follow-up Audits
Form 9D- Reassessments
For AS 9100 and AS 9120 Audits the Following Reports should be used:
Form 25A- Document Reviews and Stage 1 Assessments
Form 25B- Stage 2 Assessments
Form 25C- Surveillance Visits and Follow-up Audits
Form 25D- Reassessments
3.9
Certification
Following the audit, the auditor will send the Audit Report to IMS, along with the audit
notes and any other relevant information or evidence collected during the audit. The
auditor should also inform the client to send details of corrective actions to IMS as
described in section 3.5.
All information sent to IMS should be written in, or translated into English. The clients
Corrective Action Plan and Objective Evidence should also be in English where possible.
If this is not possible, the Corrective Action Plan and / or Objective Evidence should be
sent to the Lead Auditor who must provide a translation and/or summary of the
information, and also indicate whether he or she thinks that the information submitted is
acceptable.
The Certification Officer will undertake the Certification Review as detailed in Proc 6. If
required, the auditor may be contacted to provide clarification, additional information, or
to comment on corrective action submitted by the client.
The auditor will be informed of the outcome of the Certification Review.
3.10
Doc 05 / 13
Page 13 of 15
AUDITOR GUIDELINES
The second section; root cause, requires the client to detail how the non-conformance
occurred? There are techniques such as 5 whys that help the client discover what was
the root cause of the problem? Doc 6F Guidance notes on root cause analysis has
been produced for use by auditors and is available on the IMS website for clients to use.
The third stage of the Plan; Long Term Corrective Actions needs to detail what the
client has done and what systems have been changed or implemented to ensure that the
problem identified in the root cause section which generated the non-conformance, has
been dealt with and ensures that it will not re-occur.
If you are not satisfied with the Corrective Action Plan that has been submitted then
make a comment in the comments section of the form detailing what further
information/clarification is required from the client. This can be forwarded onto the IMS
Admin department to subsequently inform the client. The IMS Admin department will
chase the client for the follow-up information as required. The comments section can
also be used for reminders or actions for the next visit, an example of this will be to
review skills matrix during next audit for all new employees. When you are happy with
the Corrective Action Plan you shall sign and date the bottom section and submit to IMS.
3.11
Auditor Feedback
As part of the Certification Review, the Certification Officer will ensure that the
documentation provided by the auditor is complete, correct, and of a sufficiently high
standard, and will also review the completed Auditee Feedback Questionnaire where
completed. Any examples of audits not being conducted or reported in line with the
requirements of IMS International or relevant schemes will be detailed on a NonConformance Report and forwarded to the auditor, along with required corrective action.
A copy of the Report will also be kept in the staff file and reviewed as part of the annual
competence review of each auditor (see Proc 11).
3.12
Certification Cycle
Any new client will receive an initial assessment, with the number of required audit days
based upon specified guidance, but varied according to factors such as simplicity /
complexity of operations, number of sites, exclusions etc.
Certification will in most cases last three years. An initial surveillance visit will generally
be carried out after nine months, and thereafter annually or 6-monthly. The number of
days per surveillance visit will be approximately one third of the days required for initial
assessment, though could vary depending on the reliance that can be placed on the
system as identified during the audits.
Surveillance visits shall include on-site audits assessing the certified clients
management systems fulfilment of specified requirements with respect to the standard to
which certification is granted. They will also cover as a minimum:
Doc 05 / 13
AUDITOR GUIDELINES
Effectiveness of communication;
Before the expiry of the certificate, a re-assessment will be undertaken. The number of
days will generally be two-thirds of the days required for initial assessment, but will
depend on the number of audit days undertaken during the certification cycle as
compared to guidance, and also on the level of compliance demonstrated during the
cycle.
Re-assessment will ensure:
Document Checklist
Auditors must ensure that they have a copy and have read the documents listed below.
IMS is responsible for ensuring that auditors receive updated versions of these
documents as they are revised.
1
Proc 7: Confidentiality
Doc 05 / 13
Page 15 of 15