• No products in the cart.

Free study material

What is the context of your organisation?

 The standard uses the clunky term “context,” but this could easily be substituted by asking about the organization’s internal and external success factors. Questions about context are usually directed at top management or the person leading the quality management system (QMS)–formerly known as the management representative. As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? It is. Thankfully, the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organization’s purpose, strategy, and QMS goals. Many organizations will probably use a SWOT (strengths, weaknesses, opportunities, and threats) analysis to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis.

Who are your interested parties and what are their requirements?

The interested parties are a key input to risk. The term “interested parties” has a bizarre, stalker-like ring to it, so smart auditors might want to replace it with “stakeholders.” Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp. Typical interested parties include employees, customers, suppliers, business owners, debt holders, neighbors, and regulators.

What risks and opportunities have been identified and what are you doing about them?

Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective.

What plans have been put in place to achieve quality objectives?

Measurable quality objectives have long been a part of ISO 9001. What’s new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

How do you manage change?

The first and biggest clause on the topic is clause 6.3, Planning of changes. Here we identify changes that we know are coming and develop plans for their implementation. What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless. An auditor should review changes that took place and seek evidence that the changes were identified and planned proactively. Change that happens in a less planned manner is addressed in subclause 8.5.6.

How do you capture and use knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close-outs, staff meetings, customer reviews, examination of data, and customer feedback. How the organization captures knowledge is up to it, but the process should be clear and functional. The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way.

Is your QMS documented around the processes of your organisation and have you determined the sequence and interaction of these processes? (Clause 4.4.1).

This is not a new requirement; in fact it has been in ISO 9001 since the 2000 version but it seems to be one of the requirements that organisations really struggle with. Essentially what it means is that the QMS should be written and aligned around the organisation’s business processes and not written and aligned with the numbers of ISO 9001.

Have you determined the inputs and the expected outputs from these processes? (Clause 4.4.1).

This is new and it re-enforces the previous question. When done correctly, an organisation will find that the outputs from one process will be the inputs to the next process; and for a process to operate effectively it needs to have the correct outputs from the previous process. This is a positive additional requirement to ISO 9001.

How are you accountable for the effectiveness of the QMS? (Clause 5.1.1 a)

Top management used to have to demonstrate commitment, now they have to really step up and be accountable for the QMS. Being accountable means they have ultimate responsibility – they are expected to make decisions and justify actions. The buck stops with them.

How do you promote the use of the process approach and risk-based thinking? (Clause 5.1.1 d)

There are two things here that the boss needs to know: 1. the process approach and 2. risk-based thinking; but the question should actually not be about their knowledge, but about how they “promote” both things. Do they ‘walk the talk’? Do they chair awareness sessions? Do they say and do the right things?

How do you engage with, direct, and support persons to contribute to the effectiveness of the QMS? (Clause 5.1.1 h)

This is not about abdicating the responsibility to someone else (in the old days this may have been the “quality manager”). This is about persons (plural), so it means everyone involved in the QMS. How actively involved is the boss with the people on the ground or those on the front line?

How do you promote improvement? (Clause 5.1.1 i)

Improvement means that the organisation is becoming better – and this improvement should be aligned with the quality objectives (Clause 6.2) and the strategy direction. But similar to question 7, this is not about the boss knowing these things, it’s about how he/she promotes them.

How do you support the other management so they can demonstrate their leadership? (Clause 5.1.1 j)

What does the boss do to ensure that the other managers (at all levels) are able to show to their staff the importance of the QMS and how its applies to them? How do the other managers from the senior management team down to the front line promote the requirements and benefits of the QMS? Hopefully you will have noticed similarities between the key areas in the 2008 and 2015 versions; and for the most part, there are some strong continuations. However, the requirements for 2015 focus more on aligning with the organisation’s strategy and making the QMS more relevant to the business.

Who is going to be in charge of QMS if there will not be MR (Management Representative) requirement anymore?

Organizations may decide to keep their MR professional, but her/his roles and responsibilities will be different once the QMS leaders will be the business process owners, therefore, part of the plant leadership team.

How should we document the context of the organization? Is the Quality Policy a good place to describe the new context of the organization?

No, the Quality Policy is not a good place for the context of the organization. The context of the organization can be documented, in the Quality manual, if the organization decides to keep it. While some documents and procedures will not be mandatory anymore they can be kept and serve as a good repository for evidence of compliance to new concepts brought by the new standard version.

How do we demonstrate and provide evidence for risk-based thinking? How is risk-based thinking different from risk management? How do we document the opportunities rather than risks?

Risk-based thinking is simpler than risk management. Auditors will not require documented records, but simply verbal justification that it was performed. The standard will not require the usage of a specific tool or methodology to prove evidence of risk-based thinking, neither for identification of risks and opportunities and nor for the subsequent action plan. Companies, intuitively apply risk-based thinking, which will replace preventive action in the new version of the standard. However, businesses do require risk management and mitigation plans, regardless. There are several common risk analysis tools, most of them listed in the Standard ISO 30010. Firms may want to use simple tools like SWOT (Strengths, Weaknesses, Opportunities and Threats) Analysis and nine box, or expand the usage of their FTA (Fault Tree Analysis) or PFMEA (Process Failure Mode and Effects Analysis) if you are already using these tools due to your industry or a customer requirement.

Continual or Continuous improvement?

Continuous never stops until perfection is achieved. While continual presumes a set target is to be achieved at a certain point or time-frame, and when achieved, a new target is set and the cycle continues with no concept of perfection. Therefore, Continuous is Theoretical (the continuous improvement program of the company) while Continual is Practical (a specific project of the company). The standard refers to continual improvement in several clauses.

How has the QMS been integrated into the organization’s business processes?

 The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system. It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business. Remember clauses 4.1 and 4.2 of ISO 9001:2015? They examine the key topics of context and interested parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used. Top management should be able to describe how the QMS is used to run the company, not just pass an audit.

What Is Meant By Risk? How You Can Avoid The Risks?

Risk can be anything that leads to failure / defect / error in the application or process. We can avoid risk by applying proper risk matrix in the process. Risk Matrix shows the controls within application systems used to reduce the identified risk, and in what segment of the application those risks exist. Team members are leaving from the organization in the middle of the project is the risk for the Manager.For that he can take the preventive action by ask for the bond from the employee or can have the countable backups in the project.

What are the Mandatory documents and records required by ISO 9001:2015?

Here are the documents you need to produce if you want to be compliant with ISO 9001:2015. (Please note that some of the documents will not be mandatory if the company does not perform relevant processes.):
Scope of the QMS (clause 4.3)
Quality policy (clause 5.2)
Quality objectives (clause 6.2)
Criteria for evaluation and selection of suppliers (clause 8.4.1)
And, here are the mandatory records (note that records marked with * are only mandatory in cases when the relevant clause is not excluded):
Monitoring and measuring equipment calibration records* (clause
Records of training, skills, experience and qualifications (clause 7.2)
Product/service requirements review records (clause
Record about design and development outputs review* (clause 8.3.2)
Records about design and development inputs* (clause 8.3.3)
Records of design and development controls* (clause 8.3.4)
Records of design and development outputs *(clause 8.3.5)
Design and development changes records* (clause 8.3.6)
Characteristics of product to be produced and service to be provided (clause 8.5.1)
Records about customer property (clause 8.5.3)
Production/service provision change control records (clause 8.5.6)
Record of conformity of product/service with acceptance criteria (clause 8.6)
Record of nonconforming outputs (clause 8.7.2)
Monitoring and measurement results (clause 9.1.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)

Quality Control Is Reactive In Approach?

Quality Control is not a reactive in approach quality is built into the product right from the design stage, and SPC charts indicates before the process goes out of control such that we can take the corrective action before defective products are produced.

What is an Environmental Management System?

An environmental management system (EMS) is a structure of connected elements that define how an organization manages its environmental impacts.  These elements include policies, organizational structure, procedures, goals and objectives, and defined processes.  In order to be effective, all of these various elements must work together cohesively and be a part of the overall business management system.  Most organizations already have some of these elements in place, but often they’re not joined in a cohesive system.

Which law applies to each of these risks?

You’ve got to know the legal obligations in order to put the correct measures in place – so when you identify the risk, you also need to know which law applies, and the minimum requirements to comply with that law. The standard also requires you to have this information documented – to clearly show you understand your risk and have identified the applicable legislation.

Who in the company needs access to the legislation related to these risks?

All employees with a responsibility to manage risks must have access to the legislation, but in particular, all of management. The auditors will focus on determining whether management understands and knows how to identify the legislation, that they have an obligation to comply with.

What’s the best way to keep track of applicable legislation?

A legal register is the only way to both identify the legislation that is applicable to your risk, and to link the risk to the legislation. It demonstrates to the auditor that you have identified your risk, and that you’re fully aware of the laws applicable to each.

How specific should you be when linking legislation to risk. Can it be done at Act level?

Within pieces of law, there are a lot of different requirements – so different sections will apply to different activities and different risks. For example, out of a piece of legislation, there might only be two sections that apply to a particular activity like ‘working at heights’. If you simply link the entire legislation, the auditor will ask you to identify the specific section that applies to this risk. Sections from another Regulation might be associated with that risk too, and those would also need to be identified and linked to the risk – so it’s really important that linking is done at section level.

Who in the company needs access to the legislation related to these risks?

All employees with a responsibility to manage risks must have access to the legislation, but in particular, all of management. The auditors will focus on determining whether management understands and knows how to identify the legislation, that they have an obligation to comply with.

What are the consequences if you don’t link a risk to specific sections?

The auditor will tell you that you haven’t adequately identified the legislation applicable to the risk. You therefore don’t have the information you need to mitigate that risk, and you’ll get a finding. Before you can get your ISO certification, all findings need to be closed out, and you are usually given 90 days to do so.

What are the mandatory documents and records required by ISO 45001:2018

Here are the documents you need to produce if you want to be compliant with ISO 45001:
Scope of the OH&S management system (clause 4.3)
OH&S policy (clause 5.2)
Responsibilities and authorities within OH&SMS (clause 5.3)
OH&S process for addressing risks and opportunities (clause 6.1.1)
Methodology and criteria for assessment of OH&S risks (clause
OH&S objectives and plans for achieving them (clause 6.2.2)
Emergency preparedness and response process (clause 8.2)
And, here are the mandatory records:
OH&S risks and opportunities and actions for addressing them (clause 6.1.1)
Legal and other requirements (clause 6.1.3)
Evidence of competence (clause 7.2)
Evidence of communications (clause 7.4.1)
Plans for responding to potential emergency situations (clause 8.2)
Results on monitoring, measurements, analysis and performance evaluation (clause 9.1.1)
Maintenance, calibration or verification of monitoring equipment (clause 9.1.1)
Compliance evaluation results (clause 9.1.2)
Internal audit program (clause 9.2.2)
Internal audit report (clause 9.2.2)
Results of management review (clause 9.3)
Nature of incidents or nonconformities and any subsequent action taken (clause 10.2)
Results of any action and corrective action, including their effectiveness (clause 10.2)
Evidence of the results of continual improvement (clause 10.3)

What is ISO 45001?

ISO 45001 is the new international standard on occupational health and safety management systems (OHSMSs). Occupational Health and Safety Management Systems Requirements with guidance for use contains 10 clauses and an informative annex, together with a bibliography and index of terms. It’s the first-ever international standard for health and safety management. It forms part of the ISO series, eg ISO 9001 (Quality), ISO 14001 (Environment) and ISO 27001 (Information Security). It has now replaced OHSAS 18001 (Occupational health and safety management systems – Requirements).

How will ISO 45001 help organisations to put an OHSMS in place?

ISO 45001 provides an internationally-agreed framework for managing occupational health and safety risk in a proportionate way, regardless of an organisation’s size, sector or country of operation. It helps organisations to develop and implement the right policies and processes – taking a systematic plan-do-check-act and risk-based approach.

How does ISO 45001 generally compare to OHSAS 18001?

Users of OHSAS 18001 will find much in ISO 45001 that they’re familiar with – it has many common features, including risk-based thinking and the plan-do-check-act model. A good management system certified under OHSAS 18001 should have covered much essential ground towards becoming a good management system under ISO 45001 too. The main difference will be the approach. Top management must be more actively involved and ensure effective worker participation and promote a positive culture. They’ll also need to give greater consideration to the context of the organisation and stakeholder expectations. Some may decide to take advantage of the opportunity to rationalise and use other forms of documented information, reducing their paper-based systems.

What are the potential benefits of adopting ISO 45001?

Applying ISO 45001 and effectively managing occupational safety and health risks can assist an organisation to:

-minimise occupational safety and health risk to all those working on its behalf (including to their mental and physical health)
-improve its occupational health and safety performance continually
-integrate occupational health and safety into its business management system and processes
In addition to reduced injury, illness and death, good occupational safety and health management can help organisations to enhance productivity, reputation, reliability and business success.

How will ISO 45001 help organisations to put an OHSMS in place?

ISO 45001 provides an internationally-agreed framework for managing occupational health and safety risk in a proportionate way, regardless of an organisation’s size, sector or country of operation. It helps organisations to develop and implement the right policies and processes – taking a systematic plan-do-check-act and risk-based approach.

EnMS is applicable for which type of industry?

It’s worked both in Industry commercial businesses service sectors. It hasn’t really mattered whether it was small size midsize large size or and sectors whether it’s transportation service commercial or industry. Any kind of industry and commercial businesses can save money with this. It’s worked in Industry, commercial businesses and service sectors. It hasn’t really mattered whether it was small size, midsize, large size or and sectors whether it’s transportation service commercial or industry.

What is ISO 50002 standard?

ISO 50002 – energy audits which is the purpose is to define the processes leading to the identification of opportunities for the Improvement of energy performance. So it’s basically a detailed review of the energy performance of an organization process or both.

What about ISO 50003 standard?

ISO 50003- this is requirements for bodies providing potted and certification to Energy Management Systems. So this is a standard that is to be used in conjunction with the ISO/IEC 17025 one which is a standard that most people dealing with Conformity assessment with management system standards.

What about ISO 50004 standard?

ISO50004- which is guidance for the implementation maintenance and Improvement of an energy management system. And basically that’s what it is. So this standard is trying to help organizations and individuals to understand the requirements of 50001 and what they could do in order to implement this and the keep continued Improvement in energy management and Energy performance.

What about ISO 50006 standard?

ISO50006- this is focused around the energy Baseline and energy performance indicators. So one of the main requirements of the iso 50001 are around energy Baseline and energy performance indicators. So this standard will help organizations understand and give guidance

What about ISO 50015 standard?

ISO50015- which is measurement and verification of organizational energy performance. So this is to provide a participant establish a common set of principles and guidelines to be used for measurement verification of organizational integer performance.

Where should I start what our look like the first steps and like in our organisation?

The first place has a lot of play a lot of organizations have started is very simply what kind of energy do I have and how much of it am I using another place that they’ve started has been a very simple step and that is what can I do to engage everybody in the organization and better understanding how I’m using that energy and why am I using that energy just because I’ve always done it that way doesn’t mean it’s the best way to do it. So what idea Can I bring to improve the way I’m using it? You’ll find that every employee in the organization has great ideas for improving energy. You give them the opportunity to listen and to be.

What is the focus of 'product safety' clause?

Product safety clause focus on product and manufacturing processes characteristics which affect the safety performance of final assembly.

Are MSA studies required for each measuring instrument?

Each measuring instrument does not required MSA study, These instruments can be grouped based on Measurement range, resolution, repeatability etc and MSA study can be done on sampled instrument.

Can we calibrate the measurement instrument from the Manufacturer of instrument?

Calibration agency shall be accredited to ISO/IEC 17025, if not, you can obtain the approval from your customer to use non accredited calibration agency.

Do we need to consider OEM CSR even we are supplying the product through Tier -1 customer.

The organisation shall consider the customer specific requirement to all their DIRECT customers only.

Is it mandatory to cover all shifts for each manufacturing process audit?

No, Each manufacturing process audit does not have to cover all shifts in one audit. But all manufacturing process has to be covered in each audit.

Is it required that calibration certificate & test report bears the mark or ISO/IEC 17025/ NABL?

Yes, certificate of calibration or test including the mark of national accreditation bodies are acceptable.

Is layout inspection is different from a product re-qualification or functional testing ?

Yes, Layout inspection is the complete measurement of all product dimensions as per drawing performance or materials measurements as no included in layout inspection. While product re-qualification imply full validation of product approval requirement and therefore exceeds the scope of a layout inspection.

Is product audit differ from a layout inspection?

Product audit may contain verification of dimensional , performance or material requirements while a layout inspection is limited to dimensional requirements.

How to define the product design scope for an organisation?

If an organisation producing the product based on customer given engineering specification or drawing then organisation would not be product design responsible.

Can we exclude the Design clause in the IATF certification scope.

Only product design clause can be exclude if organisation is not design responsible , in all the ceases the organisation is responsible for manufacturing process design which can not be excluded.

© Internal Auditor Certification 2020
Translate »