Management System
Auditing:
How to Relax
When the Auditor ArrivesPresented by:
Monisha Mandal – Telesis Corporation
Lisa DuBrock – Radian Compliance, LLC
Sally Smoczynski – Radian Compliance, LLC
Agenda• Management System Auditing – Overview
• Internal Audits
• External Audits – 2nd party and 3rd party
• The Companies Perspective
• Relax
2
Background• A requirement of every management system
standard.o ANSI/ASIS SPC.1 – Organizational Resilience – Clause A5.5
o ANSI/ASIS PSC.1 – Private Security Company Operations – Clause 10.5
o ISO 9001 – Quality Management Systems – Clause 8.2.2
• 3 types of auditingo 1st Party – Internal Auditing
o 2nd Party – Typically Supplier initiated
o 3rd Party – External Audit/Certification Audit
• 2 International Audit Standardso ISO 17011 – used by Certification Bodies/Registrars
o ISO 19011 – Used by both internal and external auditors
4
Requirements for Certification
• Internal Audito At least 1 full system effectiveness audit to the standard needs to be
completed prior to the stage 2 certification audit
o Most organizations initially elect to have 2 internal audits prior to
certification
• A documentation and readiness review
• An effectiveness review
• External Audito Always 2 audit events
o 1st event a readiness review. Is the organization ready to move onto
certification
o 2nd event – an effectiveness review. The words you are waiting to hear –
“You are recommended for certification’
5
Internal Audits• DEF. - Systematic, independent and documented
process for obtaining and objectively evaluating
evidence –do you do what you say.
• Conducted by employees or outside contractors
• KEY - competence and independence
• COMPETENCE
o How to Audit
o Understand the Organization
o Understand the Standard
• INDEPENDENCEo Can’t audit your own work
8
Internal Audits (Cont.)• Documented Process
o Required documentation
• Audit Schedule
• Audit Plan
• Opening meeting agenda/minutes
• Closing meeting agenda/minutes
• Audit Report –
o Non-conformities – Major, Minor and OFI’s
• Inputs to Continual Improvement and Management Review
• Timing and scheduling –2.5 – 3 times of the external audit
process
• Annual or more often–2-3 months prior to your surveillance audit
• Important – your corporate culture
9
Internal Audits (Cont.)• People involved
o Management Representative
o Senior Management
o Process Owners
o Process Executers
o Internal Auditor
• Internal Audit Proso potential issues exposed
o practice what you are going to say, and how to say it
o Not a ‘Gotcha Audit’
• Internal Audit Conso Potentially Time Consuming
o Hinges on Knowledge and Competency of auditor
10
2nd Party Audits• A 2nd party audit is an external audit generally
performed by a customer or supplier or by others on their
behalf.
• Companies are subject to 2nd party audits if they are
part of partner programs such as Cisco or Microsoft.
• You might provide services to a Customer who has
included specific requirements within the contract that
you must adhere to. Examples may be certain
information security requirements, controlled procedures
or business continuity requirements
• Continued audits are determined by the rules of
engagement with that customer or supplier
13
3rd Party Audits• The 3rd party audit is also an external audit but is
generally performed by independent organizations
such as registrars (certification bodies) or regulators.
• 3rd party audits are auditing your organization to a
set of requirements, such as an ISO standard or
other auditable framework.
• In most cases, 3rd party audits result in your
organization getting a certification or a statement
of compliance.
• 3rd party audit are generally time based and may
require annual review and re-certifications after 3
years.
14
Relax• By the time the audit is scheduled, your
organization has prepared itself accordingly and
have followed the terms of the requirements to the
best of your ability.
• Practice audit scenarios before the “real” audit.
Learn from the internal audits.
• In a continual improvement model, it is all about
improvement, so if there are deficiencies, making
them better is encouraged and good practice.
15
‘We all need people who will give us feedback. That's how we improve.
~Bill Gates
Telesis Corporation
• Celebrating 16 years
• Government contractor
• Strategic Business Areas
o Engineering Services for Fielded Systems
o New Equipment Training and FSR Cross Training
o Help Desk Solutions and Services
o Information Technology Services
o Cybersecurity Services
17
Why Audit? An Organization perspective
o Why does any company want to get into a
certification or an audit
• Market driven
• Approvals / Contracts
• Regulatory issues- compliance. e.g. Accurate posting of
jobs on State Boards
• Accountability - Professional reputation and credibility
• Process Improvement
19
Confusing Start with ISO Certification….!!!!
o ISO – International Organization of Standards
At ISO, they only develop International
Standards.
They DO NOT CERTIFY OR ACCREDIT
o IAF – Internal Accreditation Forum
The IAF is the world association of Conformity Assessment
Accreditation Bodies
o CB – Certifying Body- If accredited with IAF or the national
accreditation body
o ANAB- The ANSI-ASQ National Accreditation Board provides the
accreditation for the certifying body in US. ANAB is a signatory of
the International Accreditation Forum (IAF)
o APMG – Same as ANAB
o ANSI- American National Standards Institute
o Many Others……..
20
Confusing Start with ISO Certification….!!!!
HELP!!!!
INTERNAL AUDITOR PARTNERSHIP
With RADIAN COMPLIANCE
21
Selection of Auditor or Certification Body
• General Factors o Reputation in Industry
o Establishment of credibility
o Pricing
o Number of certifications
• Ability of a certifying body to provide a combined
audit of several certificates
o Customer Service
• Model for communication with the client
22
Selection of Auditor or Certification Body
23
How do organization's select their Certifying Bodies?Source: Study by www. JAS-ANZ.org
Experience with some ISO Registrars and Auditors
• Consistency of Auditors and Audit
o Auditor preferences, scope creep
• Transparency of the process
o Certifying body - accreditation requirements from the
accreditation body (ANAB and APMG) – adherence to
Management system certification - ISO/IEC 17021
o E.g. 1st year audit requirement
• Communication
o Lack of communication (registrar and auditor)
o Focus of the communication on new sales rather than existent
certification
• Responsiveness to the needs of the organization
o Audit Timelines
o Escalation
24
Time for the AuditAudit Anxiety??...Stress??
WHY?
Prepare and Plan with a Checklist
1. Know your services.
2. Learn where to locate the correct files, records and documents –
Clean project space to find files and records effectively
3. Know your Quality Policy and Objectives
4. Answer questions accurately. Stop speaking after you answer.
Answer truthfully.
5. Ensure full knowledge of your non conformities with their
corrective actions
6. Continuously improve not just before an audit
7. Don’t argue with auditor but put your point across with evidence
and documentation.
8. Listen to the advice of the auditor
25
TELESIS Positive Audit experiences
• Positive and Negative aspects both when auditing
• Provided us as clients with the information to make
improvements
• Shift in organization from Reactive activities to
Proactive activities
• Assessed compliance against the organization’s
documented system
• Process oriented organization
ISO Audits help us achieve our tag line……
27
How to contact US
29
Monisha Mandal
Corporate Compliance and
Quality Manager
Telesis Corporation
Ph.#: 571 267 2931
Email:
Sally Smoczynski
Managing Partner
Radian Compliance
Ph.#: 630-728-7181
Lisa DuBrock
Managing Partner
Radian Compliance
Ph.# 847-997-2032