Pass ASQ CQA Exam in First Attempt Easily

Auditing Fundamentals

1. 1A1 Methods - Introduction and three definitions

To the first topic in the CQA body of knowledge, which is auditing fundamentals. In auditing fundamentals, we will be looking at the following topics: types of quality audits, purpose and scope, criteria to audit against, roles and responsibilities of audit participants, and professional conduct and consequences for auditors. So, these are the topics that will be covered in Section 1. From this section, you should expect 28 questions in the CQA exam. Now, let's start with the types of quality audits. In the types of quality audits, we will also be looking at these four subtopics: methods audit, auditory relationship, purpose, and common elements. With other audits, let's start with methods. In methods, we will be talking about audit methods such as product audit, process audit, system audit, and some other types of audits. But even before we go and talk about audit methods, let's understand some basic definitions related to audit. So here in this lecture, we will be talking about three definitions: the definition of audit, the definition of objective evidence, and audit criteria. Let's look at these three definitions, and then we will talk about some common standards that are used in auditing. And then we will look at audit methods. So, here is the definition of audit: And this definition is from ISO 9000 2015.And when I talk about ISO 9000 2015, we will be talking about this standard and some other relevant standards in the next video. So let's come back to the definition of audit. Audit is systematic, independent and documented process for obtaining objective evidences and evaluating it objectively to determine the extent to which audit criteria are fulfilled if this definition looks a little bit confusing. So let's split this definition into a number of pieces, which I've done here on this slide. So this wording is exactly what you saw previously. So let's look at the definition of audit here. An audit is a systematic process. So you do things in a planned and systematic way when you do an audit. An audit is independent. An audit is done by a party that is independent of the work being done. So if you are doing work, then there is no point in viewing yourself as doing an audit of someone who is external to that process. Someone who is independent needs to do the audit. And then auditing is a documented process. So you document the results of the audit, and based on that you can take action. Now, this is for obtaining objective evidence. So what you do in auditing is collect objective evidence—objective evidence in the form of records, forms, pictures—something with which you can objectively prove that something is good or bad, that something meets criteria or does not meet criteria. So you collect evidence related tothose things which you are auditing. After gathering these evidences, you must objectively evaluate them. Here, it's not a question of opinion; here, what you're doing is evaluating these objectively without any bias. And now what is the whole purpose of this? The purpose of this is to determine the extent to which the audit criteria are fulfilled. So on the right you see a picture that shows the audit criteria and objective evidence, which are on two sides of a balance. So what you're doing in auditing is balancing these two things. On one side, you have the audit criteria. Audit criteria is the requirement—what needs to be done—and objective evidence is related to what's actually happening. So what's required and what's happening? Auditing is a comparison. So this leads us to two more definitions. And these definitions are "audit criteria" and "objective evidence." So let's look at the definition of these two terms as well, starting with audit criteria. What should be done if audit criteria are required? And here is the official definition of audit criteria for ISO 9000. And according to this definition, audit criteria are a set of policies, procedures, or requirements that serve as a baseline against which objective evidence is compared. Let's break this definition down again into a number of pieces, which will help us understand it a little bit better, and which is here. So, audit criteria are sets of policies, procedures, or requirements. So that's what we said in audit. What we do is compare the requirements, the policies, the procedures, and the systems that the organisation has, which are used as a reference against which the objective evidence is compared. And what is actuality or what is the actual situation is what objective evidence is. So this is the definition of audit criteria, and what is the definition of objective evidence? Here is the definition of objective evidence. This is a simple definition here: objective evidence is the data supporting the existence or variety of something. and the term variety here means something that is true. So what we do in Objective Evidence is wecollect the data which is supporting the existence orthe truth of something, what's actually happening. That's the objective evidence. In the definition of objective evidence given in ISO 9000, there are some notes as well. So let's look at these nodes. The first is that objective evidence can be obtained through observation, measurement, testing, or by any other means. Because what you are doing in "objective evidence" is looking at the actual situation, which you can do via observation, measurement, or testing something. The second note here is that "objective evidence" for the purpose of audit generally consists of records, statements of facts, or other information that are relevant to audit criteria and verifiable. So what you do in objective evidence is you collect some records and some data, and sometimes you don't have records or data related to that. So even the statement given by some people is objective Objective Evidence.And these objective evidences must be relevant to the audit criteria or requirement, as well as verifiable. You should be able to verify that. So generally, the papers, the documents, or the records are stronger objective evidence as against the statement given by someone. So in the audit, a statement given by someone could be taken as objective evidence. But it is always good to have something in the form of documents to support that statement. So these were the three definitions about which we wanted to talk. Here are the definitions of audit, audit criteria, and objective evidence. So with this, let's move on to the next video and talk about the standards that we use in the auditing process. We talked about ISO 9000 earlier, which was relevant to definitions, but then there are a few other standards that are relevant to auditing. Let's look at those as well.

2. 1A1 Quality Auditing – Standards

Here on this slide, I have four common standards that are relevant to the auditing process. So the first standard listed here is ISO 9000:2015, and 2015 is the year of publishing. This standard, 9000, gives the terms and the definitions related to quality. So this standard is basically focused on the definitions of terms. The second standard which is listed here isISO 9001 2015 and 2015 is the yearof publishing and 9001 is the standard whichis Quality Management System requirements. Most of the organisations that have an established quality management system establish their system based on this standard, and they get certified. So this is the standard by which you can get your organisation certified too. You cannot get your organisation certified to 9000 or 9004. You can get your organisation certified to ISO 9001. Just to give you a brief history of 9001, 9001 was first published in 1987, then the next revision came in 1994. The next one, the third revision, came in 2000, the fourth revision came in 2008, and the fifth revision came in 2015. The first two versions were in 1987 and 1994. These two versions used to have 20 clauses, but then things changed and the standard was reduced to eight main clauses, and that was these two versions, 2000 and 2008, and then the fifth version, which was 2015. A lot of new changes have occurred here, so we will be briefly talking about 90-01-2015 as we go further into this course. The CQA exam does not really require you to have a good knowledge of ISO 9001 because the exam doesn't test you based on your knowledge of this standard. But still, it is a good idea to have a brief introduction to this standard, which is related to quality management systems. The third standard listed here is 90 04.90-04 is a guideline. So this is a guideline that can help your organisation become the best in class. So this is what you can think of as a TQM. Total Quality Management (TQM) or business accidents are standard. But organisations are not audited, and organisations are not certified to 9004. So this is a good reference if you want to help your organisation become the best in class or compete for a Business Excellence Award, et cetera. So once again, this is just a guideline. 9004 is a guideline coming to the fourth standard, which is listed here. This is a guideline for auditing management systems. This standard basically talks about auditing process. So as you go further into this course, which is the Certified Quality Auditor Exam Preparation Course, you will see that most of this course is based on this standard. 19,011 basically talks about how to do audits, how to plan audits, how to conduct audits, how to report audits, and so on. So if you are preparing for the CQA exam, I insist that you have a copy of this in your binder because you might need to refer to this standard. Other three standards are optional. But still it is a good idea to havea copy of ISO 9000 for terms and definition,9001 for the quality management system requirements. So you can have a copy of these two standards as well. handy in your binder when you go for the CQA exam. But this one is a must. So these are the four standards that are relevant to auditing processes.

3. 1A1 Auditing Methods - Product, Process and System Audits

So here on this slide, we have three main types of audits and these are product audit, the process audit, and the system audit. As you see in the circle, the product audit has a smaller scope, process audit has a bigger scope, and system audit has a much bigger scope. Let’s talk about three types of audits, starting with the product audit. When we say product audit, this audit is focused on one or more product or service. So here your focus is product and what you want to do is you want to assess the fitness for use and to check whether your product or the process meets the design requirements. So in product audit, your focus is the product. This product could be the mouse, the laptop, the table which I have. Any product which you are making, your focuses on the product or the service. So in product audit, what you do is you look at what was required as per design and whether your product is meeting those design requirements or not, and whether your product is fit for use or not. So all your focus is on the product. So if you're doing a product on it, the first thing which you might need to do is look at what is required. So you look at what are the specifications for this product, what are the drawings, what are the standards, you look at those and then compare those requirements against what is the actual reality in the product coming to the next type of audit, which is the process audit. Here your focus is not the product. Here your focus is the process, the process of making that product or process of providing some type of service. And when we say process, a process has an input and output as well. So what you do here in this case is you look at the actual process which is being performed and compare that with the documented requirement for the process. Let’s say your system says that this process needs Tobe done in these three steps, step one, two, three. And then you compare the actual process against those three steps. So in this type of audit, the first thing which you might want to do is understand what are the requirements related to the process, and then go look at the process, observe that, look at the records relevant to that process and make sure that all the requirements related to that process are being met or not. So this was the second type of audit, which was a process audit. The third type of audit is a system audit. System audit has a much bigger scope. In system audit, we look at number of processes, multiple processes which span across multiple disciplines. Here we are looking at the interaction between processes as well. So here you are not looking at one process. Your one process. In the process audit, let’s say, could be manufacturing. In manufacturing, you look at various steps related to manufacturing and make sure whether those steps are being followed or not. That would have been a process audit. But when it comes to system audit here you are looking at number of processes. These processes could include, let's say marketing, the sales, the design, the production, the dispatch, all these processes. When you look together, then what you’re doing is you're doing a system audit.

4. 1A1 Auditing Methods - Combined and Joint Audits

Understand the difference between these two terms when we say "combined audit." In combined audit, the audit is carried out together at a single audit. So auditing is the organization that you are auditing. The organization or the person who is being audited is called the auditor. So here the audit is carried out at single audit on two or more management systems. The example of a combined audit is, let's say, if your organization is being audited for its quality management system, and the quality management system is generally as per ISO 9001 and the environmental management system. The Environmental Management System is in accordance with ISO 14001:2004. So if there is an audit being done on your organization for both certifications (ISO 9001 and 14001 for Quality Management System and Environmental Management System), then you can say that this is a combined audit. So in that case, when you are getting audited for your quality management system and your environmental management system, you can refer to this as an "integrated management system" as well. Because your organization has built a system that covers two standards—9001 for quality management and 14,001 for environmental management systems—you can say that you are getting audited for your Integrated Management System. That's one term, which is the combined audit. As opposed to a combined audit, a joint audit" is the term used when the audit is carried out as a single audit by two or more auditing organizationsand why two or more organizations will be doing this audit. Assume you are conducting an internal audit and your client wishes to participate in the audit. So then it becomes a joint audit because this audit is done by two organizations. Or you might be getting audited by two of your clients together, two of your certification agencies, or whatever it is. When you have two or more organizations doing audits on your organization, then you can call this audit a joint audit. So these were the two terms you needed to know.

5. 1A2 Auditor-auditee Relationship (First, Second and Third Party Audits)

Will be talking about first party audit, second party audit and third party audit. And we will also understand the difference between the internal and external audits. Let’s start with first party audit. First party audit is internal audit it so if you are doing an audit within your organization then this is a first party audit. So first party audit is an internal audit and which is performed within the organization. An audit can have two main objectives. One objective is compliance, compliance tithe requirements, compliance to standard and the second objective could be improvement. When we talk of first party audit, the focus or the objective of first party audit is improvement. And other important aspect of the first party audit is that in first party audit or let’s say in internal audit, the auditor needs to be independent from the area being audited. So auditor does not have a vested interest in the area being audited. So if you look at the diagram at the bottom here you have an organization. Thisorganization has a supplier from which thisorganization buys some material or services, then this organization has a customer. When we talk of first party audit, the first party audit is within the organization. Now coming to the next type of audit which is a second party audit. Second party audit is performed bay customer on the supplier. So if you look at the bottom diagram, if your organization is doing audit of your supplier then this is a second party audit. Also if your customer is doing auditor your organization, then this is a second party audit for your customer. So in second party audit, the auditor audit has a client supplier relationship. The second party audit could be done before awarding a contract or after awarding a contract to make sure that the contract requirements are being met or not. So this was second party audit, the next one is the third party audit. Third party audit is performed by an organization which is independent of customer supplier relationship. So this third party audit is done by an independent party. So as you can see in the diagram below, you have supplier, organization and customer. But this audit is done by third party which is neither your supplier nor your customer. So in this case, if you see, the third-party is free from any conflict of interest. So, third party is an independent party. So when we talk of ISO 9001 certification of an organization, all those audits are done by a third party. So these were first party, second party and third party audits. Here is the summary of that. First party audit is an internal audit, second party audits done by client on the supplier and third party audit is done by a third party either appointed bay client or which is an independent organization to give you a certificate such as ISO 9001.So depending upon the auditor auditory relationship, you can have first party, second party or a third party audit. Now coming to another classification which is internal versus external audit. When we talked about first party audit, we said that the first party audit is an internal audit because this audit is done by the organizationitself. Second party and third party audits are external audits because these are done by someone who is out trade the organization. The second party audit is done by the customer on its supplier and third party is done bay party which is independent of supplier customer relationship.

6. 1A3 Purpose - Registration/Certification and Accreditation

In this lecture, we will talk about the purpose of auditing. The purpose of an audit could be certification or registration, which is ISO 9001 certification. And the purpose of an audit could be accreditation. and we will talk about what this means. And the purpose of an audit could be compliance for a risk-based audit, verification of capacity, which is corrective and preventive action, or surveillance audits. So, these are the purposes of audits. Let's start with certification audits and accreditation audits. In this video and in the next video, we will talk about the other five types of audits. So, let's start with the certification or registration audit. When we say certification or registration audit, the most common type of certification audit is an ISO 9001 certification audit. So, you have probably seen many organisations that have ISO 9001 certification. The audit that is done to issue this certificate is a certification audit. So now, when we say "ISO 9001 certification audit," let's remember that the ISO does not conduct these audits. These certificates are not issued by ISO or the International Organization for Standardization. They just create the standard. The ISO 9001 standard is prepared by ISO, but they don't issue the certificate of compliance to organizations. And who does that? That is done by certification bodies. So, there are certification bodies that issue ISO 9001 certificates. Here at the bottom of the slide, you will see logos of some of these organisations that issue ISO 9001 certificates, which include DNV, Bureau, Veritas, BSI, InterTech, and many, many more organizations.Now, the next question would be, if ISO doesn't issue the certificate and these certification bodies issue the certificate of compliance to the ISO 9001 standard, then who allows these companies to issue the certificate? Can I start issuing ISO 9001 certificates? Two organizations, which are certification bodies, are authorised by accreditation bodies. Each country has one accreditation body. And when I say each country, let's say most of the countries have one accreditation body. So, if you look at the United States, Nap is one that basically allows certification bodies to issue ISO 9001 certificates. In the UK, UCAS is the one that allows certification bodies to issue 9000-month months certificate.Similarly, for Japan, we have Jazz AMZ, and for India, we have NABCB. So, these organisations are single organizationsin the countries which allow certificationbodies to issue ISO 9001 certificates. And each of the countries' accreditation bodies is a member of the International Accreditation Forum, or IAF. So, if you look at an ISO 9001 certificate, you will see two or three logos on that. The first logo will be the logo of the certification body. So here, if you look at this sample, which I picked from the internet, this is the certification body. Ms. Start is the organisation that came and audited this organisation and issued the ISO 9001 certificate. But then who authorised Ms. Cert? Jazz, a New Zealand musician, did this. So, this is the accreditation body. An accreditation body is a member of the IAF (International Accreditation Forum). So this is the hierarchy. You will see in most of ISO 9001 certificates. On some certificates, you might not see the logo of the IAF. That's fine because these are well-recognized organizations. So if you look at this, that means this is an organisation that basically represents the country in the IAF. So having understood this, now let's look at the hierarchy of this certification, which is shown here. So if you look here, ISO is basically the one who creates the standard. So this is prepared 9001 standard. And then IAF is the one which basically monitorsor manages the certification at the highest level. And then in each country, you have one accreditation body. So this is one for US, this isone for UK, this is for Japan. The next one is for India. And you have many more organisations here, which basically are the only organisations in the country that are members of the IAF. Now the certification bodies are being audited. So, certification bodies are audited by the accreditation body in the United States. And the standard that they use is ISO 1721 7021.And based on that, these organizations are authorised to issue ISO9001 certificates to different organizations.

Hide