ISO-9001-Lead-Auditor QMS ISO 9001:2015 Lead Auditor Exam Questions and Answers

According to the ISO 9001 Auditing Practices Group Guidance on Improvement Opportunities1, an improvement opportunity is a suggestion made by the auditor for the auditee to consider that, if implemented, may enhance the performance of the QMS. Improvement opportunities are not mandatory, but they should be based on objective evidence and aligned with the audit criteria and objectives. Improvement opportunities should also be realistic, feasible, and beneficial for the auditee. In this case, the evidence statements that represent acceptable improvement opportunities in the report are A, C, and E, because they address the potential causes and effects of the spelling errors in the print run, and propose possible actions that may improve the quality of the products and services, and the effectiveness of the QMS. These options are consistent with the requirements and principles of ISO 9001, such as clause 6.1 on actions to address risks and opportunities, clause 8.1 on operational planning and control, clause 8.5.1 on control of production and service provision, and clause 10.2 on nonconformity and corrective action. The other options are not appropriate improvement opportunities, because they are either irrelevant, unrealistic, or unhelpful for the auditee. For example, option B may contradict the audit objective and scope, option D may imply a lack of auditor competence or impartiality, option F may not address the root cause of the problem, option G may not be applicable or effective, and option H may not be feasible or justified. References: ISO 9001 Auditing Practices Group Guidance on Improvement Opportunities, ISO 9001:2015, ISO 9001 Auditing Practices Group Guidance on Audit Evidence

According to ISO 9001:2015, clause 4.3, the organization is required to determine the scope of its quality management system (QMS) by considering the external and internal issues referred to in clause 4.1. Clause 4.1 requires the organization to determine the external and internal issues that are relevant to its purpose and strategic direction, and that affect its ability to achieve the intended results of its QMS. These issues can include positive and negative factors or conditions for consideration, such as legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional, or local. The organization is also required to monitor and review these issues.

Therefore, the correct answer is C, as external issues of the organization’s context are one of the factors that must be considered when determining the scope of the QMS. The other options are either not directly related to the scope of the QMS, or are not explicitly mentioned in clause 4.3.

References:

ISO 9001:2015(en), Quality management systems — Requirements, clause 4.1 and 4.3

ISO 9001:2015 – How to determine the scope of your QMS - Advisera, section “Considerations for determining the scope of the QMS in ISO 9001”

ISO 9001 Lead Auditor Training Course | IRCA Certified | BSI, section “Learning objectives”

ISO 9001 Lead Auditor Course Material | 3FOLD Education Centre, module 4

Comprehensive and Detailed Explanation: = According to the web search results from my internal tool, a witness audit is a technique used during an accreditation audit, where the accreditation body observes the performance and competence of the certification body auditors in conducting an audit12. A witness audit can also be used by a certification body to monitor and evaluate its own auditors3. During a witness audit, the following roles can be defined:

•An auditor: This is the person who is being witnessed by the accreditation body or the certification body. The auditor is responsible for conducting the audit according to the audit plan, criteria, and standards, and for providing audit evidence and findings123.

•An assessor for the accreditation body: This is the person who witnesses the auditor on behalf of the accreditation body. The assessor is responsible for evaluating the auditor’s performance and competence, and for providing feedback and recommendations to the accreditation body123.

The other options are not defined as witnesses during a witness audit, according to the web search results from my internal tool. They are:

•Someone with a qualification from the certification body: This is not a specific role in a witness audit, as anyone who is involved in the audit process should have a qualification from the certification body. Moreover, having a qualification does not necessarily mean that the person is a witness or an auditor4.

•An existing member of the audit team: This is not a specific role in a witness audit, as the audit team consists of the auditors who are conducting the audit, not the ones who are witnessing it. The witness audit is a separate activity from the audit itself, and the witness should not interfere with the audit process or influence the audit outcome123.

Therefore, the correct answer is B and D.

References: 1: DQS Inc. | Witness Audits | Auditor Training 2: Have you ever been involved with a witness audit? - IFSQN 3: Certac - Witness Audit of Certification Bodies 4: ISO 19011:2018 - Guidelines for auditing management systems

A first-party audit is an internal audit conducted by auditors who are employed by the organization being audited but who have no vested interest in the audit results of the area being audited1. The purpose of a first-party audit is to assess the conformity of the organization’s quality management system to the requirements of ISO 9001 and to identify opportunities for improvement2. Therefore, the two auditors who would not participate in a first-party audit are:

•A. An auditor employed by an external consultancy organization: This auditor is not employed by the organization being audited, and therefore does not qualify as a first-party auditor. This auditor may be hired to conduct a second-party audit (if the external consultancy organization is a customer or supplier of the organization being audited) or a third-party audit (if the external consultancy organization is a certification body or registrar).

•F. An auditor from a customer: This auditor is not employed by the organization being audited, and therefore does not qualify as a first-party auditor. This auditor may be hired to conduct a second-party audit, as a customer is an interested party that has specific requirements for the organization being audited.

The other options are not correct, as they could participate in a first-party audit, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited:

•B. An auditor from an interested party: This auditor could be a first-party auditor, as long as the interested party is within the organization being audited. For example, an auditor from the finance department could audit the production department, as long as they are not involved in the production process or affected by its outcomes.

•C. An auditor trained in-house: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. The source of the auditor’s training is not relevant for determining the type of audit, as long as the auditor is competent and qualified to perform the audit.

•D. An auditor trained in the IRCA scheme: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. The IRCA scheme is a professional certification scheme for auditors of management systems, which provides recognition of the auditor’s competence and credibility3. However, being trained in the IRCA scheme does not determine the type of audit, as long as the auditor is competent and qualified to perform the audit.

•E. An auditor certified by IRCA: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. Being certified by IRCA means that the auditor has met the requirements of the IRCA scheme and has demonstrated their competence and credibility as an auditor of management systems3. However, being certified by IRCA does not determine the type of audit, as long as the auditor is competent and qualified to perform the audit.

References: First Party Audits: The 5 Steps to Success - Sync Resource Inc, ISO 9001 Auditing Practices Group, IRCA - International Register of Certificated Auditors

Match the process descriptions below to the process names:

The process by which the accuracy of test equipment is checked against a known standard. = Calibration

The process by which a product or service is visually examined to determine conformity to requirements. = Evaluation

The process by which data is examined in detail to reach a specific answer or answers. = Analysis

The process by which a parameter of a product or service is examined to determine a specific value. = Measurement

According to the ISO 9000:2015 - Quality management systems — Fundamentals and vocabulary, the definitions of the process names are as follows:

Calibration: operation that, under specified conditions, in a first step, establishes a relation between the quantity values with measurement uncertainties provided by measurement standards and corresponding indications with associated measurement uncertainties and, in a second step, uses this information to establish a relation for obtaining a measurement result from an indication.

Evaluation: determination of the suitability, adequacy or effectiveness of an object to achieve established objectives.

Analysis: detailed examination of the elements or structure of something.

Measurement: process to experimentally obtain one or more quantity values that can reasonably be attributed to a quantity.

Therefore, the process descriptions can be matched to the process names based on these definitions.

References:

ISO 9000:2015 - Quality management systems — Fundamentals and vocabulary

Identifying the source of information

Sampling available data

Gathering audit evidence

Verifying objective evidence

Evaluating evidence against the audit criteria

Making audit conclusions

Evaluating against the audit criteria

According to ISO 19011:2018, clause 6.4, the process of collecting and verifying information during an audit involves the following steps1:

Identifying the source of information: The audit team should identify the sources of information that are relevant to the audit objectives, scope and criteria. These sources may include documents, records, personnel, processes, activities, facilities, equipment, etc. The audit team should also determine the methods and tools for accessing and collecting the information, such as interviews, observations, document review, sampling, etc.

Sampling available data: The audit team should select a representative sample of the available data to verify the conformity and effectiveness of the management system. The sample size and selection method should be based on the audit objectives, scope and criteria, as well as the level of confidence and risk. The audit team should also consider the validity, reliability, relevance and sufficiency of the data.

Gathering audit evidence: The audit team should use the methods and tools identified in the previous step to collect audit evidence, which is the records, statements of fact or other information that are relevant to the audit criteria and verifiable. The audit team should record the audit evidence in a clear, concise and objective manner, using notes, checklists, photographs, audio or video recordings, etc.

Verifying objective evidence: The audit team should verify the accuracy, completeness and authenticity of the audit evidence collected. This may involve cross-checking different sources of information, confirming the identity and authority of the persons providing the information, examining the original documents or records, etc. The audit team should also identify any discrepancies, inconsistencies or gaps in the audit evidence.

Evaluating evidence against the audit criteria: The audit team should compare the audit evidence with the audit criteria to determine the extent of conformity and nonconformity. The audit team should also identify any opportunities for improvement, best practices, positive aspects or potential risks. The audit team should use professional judgement and apply the principles of auditing when evaluating the audit evidence.

Making audit conclusions: The audit team should consolidate the audit findings and evaluate the overall performance and effectiveness of the management system. The audit team should also consider the audit objectives, scope and criteria, as well as the context and expectations of the auditee and other interested parties. The audit team should provide a clear, concise and objective statement of the audit conclusions, which may include the degree of conformity, the achievement of the intended outcomes, the need for corrective actions, the suitability for certification, etc.

Evaluating against the audit criteria: The audit team should review the audit conclusions and ensure that they are consistent with the audit criteria and supported by sufficient and appropriate audit evidence. The audit team should also ensure that the audit conclusions are communicated to the auditee and other relevant parties in a timely and effective manner, using the agreed audit report format and distribution method.

References: ISO 19011:2018(en), Guidelines for auditing management systems

According to the ISO 9001:2015 standard, clause 4.1 requires organizations to determine the external and internal issues that are relevant to their purpose and that affect their ability to achieve the intended outcomes of their quality management system. Clause 6.1 requires organizations to plan actions to address the risks and opportunities associated with these issues. These actions must be integrated into the quality management system processes and evaluated for effectiveness.

In this scenario, the General Manager of the pharmaceutical organization has shown a lack of understanding and involvement in the process of identifying and addressing the external and internal issues that affect their quality management system. The General Manager has relied on the legal compliance expert, who is not an employee of the organization, to guide them on this process. The General Manager has also admitted that they did not document these issues, which is contrary to the requirement of retaining documented information on the context of the organization. The General Manager has also delegated the responsibility of determining and planning the actions to address the risks and opportunities to the Technical Manager, who is absent due to COVID-19.

Based on this information, you can respond to the General Manager’s suggestion by taking two options:

B. I would ask for a different guide instead of the legal compliance expert: You can request to have a different guide who is an employee of the organization and who is familiar with the quality management system processes and the external and internal issues that affect them. The legal compliance expert may not have the necessary knowledge and authority to answer your questions or provide you with the relevant evidence.

C. I would look for evidence that the actions resulting from the risk assessment had been taken: You can verify whether the organization has implemented and evaluated the actions to address the risks and opportunities associated with the external and internal issues. You can look for evidence such as records of risk analysis, action plans, monitoring and review results, and improvement measures.

These two options would help you to assess the conformity and effectiveness of the organization’s quality management system with respect to the requirements of clauses 4.1 and 6.1.

The tasks that are expected to be completed at the audit team meeting of a third-party audit team leader and his audit team in preparation for a Closing meeting for a four-day initial certification audit are:

•Option C: Final audit team meeting to agree findings and categories including clarification of any uncertainties. This option is correct because the audit team meeting is an opportunity for the audit team leader and the audit team members to review and consolidate the audit findings, to ensure that they are clear, accurate, objective, and supported by sufficient audit evidence. The audit team should also agree on the categories of the findings, such as nonconformity, observation, or opportunity for improvement, and resolve any uncertainties or disagreements among the audit team members.

•Option D: Agree the roles of each audit team member for the closing meeting. This option is correct because the audit team meeting is an opportunity for the audit team leader to assign the roles and responsibilities of each audit team member for the closing meeting, such as presenting the audit findings, answering questions, or taking notes. The audit team leader should also ensure that the audit team members are prepared and confident to perform their roles and to communicate effectively with the auditee.

•Option E: Audit team review any points raised by the auditee nominated representative. This option is correct because the audit team meeting is an opportunity for the audit team to review any points raised by the auditee nominated representative during the audit, such as requests for clarification, feedback, or complaints. The audit team should consider the validity and relevance of the points raised and decide how to address them in the closing meeting or in the audit report.

•Option F: Audit team agree final audit outcome recommendation. This option is correct because the audit team meeting is an opportunity for the audit team to agree on the final audit outcome recommendation, based on the audit findings and the audit criteria. The audit team should also consider the implications and consequences of the audit outcome recommendation for the auditee and the certification body, and ensure that the recommendation is consistent and justified.

•Option H: Audit team complete final version of their individual findings. This option is correct because the audit team meeting is an opportunity for the audit team to complete the final version of their individual findings, based on the agreement and feedback from the audit team meeting. The audit team should ensure that their individual findings are written in a clear, concise, and factual manner, and that they include the audit criteria, the audit evidence, and the audit conclusion. The audit team should also submit their individual findings to the audit team leader for review and approval.

•Option I: Re-audit corrective actions taken to correct findings found during the audit. This option is correct because the audit team meeting is an opportunity for the audit team to re-audit the corrective actions taken by the auditee to correct the findings found during the audit, if applicable and feasible. The audit team should verify the effectiveness and adequacy of the corrective actions and update the audit findings accordingly. The audit team should also document the results of the re-audit and communicate them to the auditee.

The following options are not correct:

•Option A: Audit team leader informs the individual(s) managing the audit programme that the closing meeting is ready to be held. This option is not correct because this task is not part of the audit team meeting, but part of the communication between the audit team leader and the individual(s) managing the audit programme. The audit team leader should inform the individual(s) managing the audit programme that the closing meeting is ready to be held after the audit team meeting, when the audit team has completed all the tasks and is ready to present the audit results to the auditee.

•Option B: Hold daily audit team meeting to review any timetable issues and potential findings and their impact on the audit for other team members. This option is not correct because this task is not part of the final audit team meeting, but part of the daily audit team meetings that are held during the audit. The daily audit team meetings are opportunities for the audit team to review the progress and performance of the audit, to identify and resolve any issues or problems, and to coordinate and adjust the audit plan and activities as needed.

•Option G: Audit team leader completes final report, including individual findings and certification recommendation. This option is not correct because this task is not part of the audit team meeting, but part of the audit reporting process. The audit team leader should complete the final report, including the individual findings and the certification recommendation, after the closing meeting, when the audit team has received and considered the feedback and comments from the auditee. The audit team leader should also ensure that the final report is reviewed and approved by the appropriate authorities before issuing it to the auditee and the certification body.

•Option J: Write the audit finding report out when detected and obtain signature of the auditee. This option is not correct because this task is not part of the audit team meeting, but part of the audit evidence collection and documentation process. The audit team should write the audit finding report out when detected and obtain the signature of the auditee during the audit, when the audit team has observed and verified the audit evidence and has communicated the audit finding to the auditee. The signature of the auditee does not indicate acceptance or agreement with the audit finding, but only acknowledgement of receipt.

References:

•ISO 19011:2018 Guidelines for auditing management systems, Clause 6.4.2: Conducting audit activities, Subclause i) and j)

•ISO 9001 Lead Auditor Course Material, Module 5: Conducting an Audit, Slide 19: Audit Team Meeting

•ISO 9001 Lead Auditor Training Course - IRCA Certified, Section 5.4: Audit Team Meeting

•Lead Auditor Exam Preparation Guide (EPG) Template - PECB, Section 3.2: Exam Content Outline, Subsection 3.2.1: Section 1 - Audit Fundamentals, Subsection 3.2.2: Section 2 - Audit Principles, Subsection 3.2.3: Section 3 - Audit Process, Subsection 3.2.4: Section 4 - Audit Competencies

The following table shows the possible matching of the records to the requirements of clause 8.4:

Table

Requirements

Records

Define product requirements

Product specification

Criteria for selection

List of requirements to be met by the external provider

Evaluation of potential external provider

External provider questionnaire

External provider selection

Approved external provider list

Communicate requirements

Purchase order

Monitoring of performance

External provider delivery times and quality issues

Comprehensive and Detailed Explanation: = According to clause 8.4 of ISO 9001:2015, the organization should ensure that externally provided processes, products, and services conform to the specified requirements. To do so, the organization should:

Define the product requirements that are relevant for the external provision, such as specifications, drawings, standards, codes, etc. These should be documented and communicated to the external provider. A record of the product specification can be used as evidence of this requirement.

Establish the criteria for the selection, evaluation, and re-evaluation of external providers, based on their ability to provide processes, products, and services in accordance with the requirements. The criteria should be documented and applied consistently. A record of the list of requirements to be met by the external provider can be used as evidence of this requirement.

Evaluate the potential external providers before selecting them, using the established criteria. The evaluation methods may include questionnaires, audits, references, samples, etc. The results of the evaluation should be documented and reviewed. A record of the external provider questionnaire can be used as evidence of this requirement.

Select the external providers that have demonstrated their competence and conformity to the requirements. The selection should be based on the evaluation results and the organization’s needs. The selection should be documented and approved. A record of the approved external provider list can be used as evidence of this requirement.

Communicate the requirements for the processes, products, and services to be provided by the external provider, including the verification and validation activities, the acceptance criteria, the documentation requirements, the changes control, etc. The communication methods may include purchase orders, contracts, agreements, etc. The communication should be clear, complete, and timely. A record of the purchase order can be used as evidence of this requirement.

Monitor the performance and conformity of the external provider, using the established criteria and methods. The monitoring methods may include inspections, tests, audits, feedback, complaints, etc. The monitoring results should be documented and analyzed. A record of the external provider delivery times and quality issues can be used as evidence of this requirement.

References: ISO 9001:2015, [ISO 9001 Auditing Practices Group Guidance on Scope], Mastering the Scope of ISO 9001 Quality Management Systems

According to the ISO 9000:2015 quality management principles document1, risk-based approach is not one of the seven quality management principles that ISO 9000, ISO 9001 and other related quality management standards are based on. The seven quality management principles are:

Customer focus

Leadership

Engagement of people

Process approach

Improvement

Evidence-based decision making

Relationship management

Therefore, risk-based approach is not a quality management principle under ISO 9001:2015.

References: ISO - Quality management principles

Establishing the audit programme objectives

Determining and evaluating the audit programme risks and opportunities

Establishing the audit programme

Initiating the audit

Preparing all audit activity

Conducting the audit activities

To complete the sequence, you can drag and drop the options to the appropriate blank section.

Here is a brief explanation of each stage:

Establishing the audit programme objectives: This is the first stage of the audit process, where the purpose, scope, and criteria of the audit programme are defined. The audit programme objectives should be aligned with the strategic direction and policies of the organization, and should address the needs and expectations of the interested parties12.

Determining and evaluating the audit programme risks and opportunities: This is the second stage of the audit process, where the factors that can affect the achievement of the audit programme objectives are identified and assessed. The audit programme risks and opportunities should consider the internal and external issues, the requirements and changes of the interested parties, and the results and feedback from previous audits12.

Establishing the audit programme: This is the third stage of the audit process, where the audit programme is designed and implemented. The audit programme should include the audit programme procedures, the audit programme resources, the audit methods and techniques, the audit frequency and schedule, and the audit programme performance indicators12.

Initiating the audit: This is the fourth stage of the audit process, where the audit is prepared and planned. The audit initiation involves selecting the audit team, establishing the contact with the auditee, defining the audit objectives, scope, and criteria, developing the audit plan, and conducting the document review123.

Preparing all audit activity: This is the fifth stage of the audit process, where the audit activities are organized and coordinated. The audit preparation involves assigning the audit tasks, communicating with the auditee and the audit team, arranging the logistics, preparing the working documents, and conducting the opening meeting123.

Conducting the audit activities: This is the sixth and final stage of the audit process, where the audit evidence is collected and evaluated. The audit conduct involves performing the audit activities, such as interviews, observations, document reviews, and tests, documenting the audit findings, preparing the audit conclusions, and conducting the closing meeting123.

I hope this helps you with your ISO 9001 Lead Auditor objectives and content. If you have any further questions, please feel free to ask. ????

References: 1: ISO 19011:2018 - Guidelines for auditing management systems 2: Audit Process | Flowchart | Summary - Accountinguide 3: What are the Stages of the Auditing Process & Why it is Important …

In this scenario, the audit team leader must balance maintaining the integrity of the audit plan while considering the auditee’s request. The two best responses allow for flexibility without compromising the audit's rigor:

A. I could audit the other laboratories virtually at the end of this audit: Virtual audits can be a valid option, especially in multi-site audits. ISO 9001:2015 does not prohibit virtual audits, and in certain situations, they are practical for reviewing documentation or observing operations remotely.

C. I could try to revise the audit programme to see if I can audit all laboratories: Revising the audit programme to accommodate additional site visits is a reasonable compromise. ISO 9001:2015 audits are based on risk and sampling, but the audit team leader has the flexibility to adjust the audit scope if it fits within the audit duration and resources.

The other options, such as extending the audit duration (B, F) or strictly adhering to the original plan (D, E), may not be practical or necessary. Revising the plan to audit all laboratories or using virtual auditing ensures that the audit remains efficient while addressing the organization's concerns​.

The auditor could raise the following nonconformities to ISO 9001 based on the scenario:

•Option A: 10.3 - The organisation did not continuously improve. Reject rates were unchanged. This option is correct because ISO 9001:2015 clause 10.3 requires the organization to improve the suitability, adequacy and effectiveness of the quality management system. The organization did not demonstrate any improvement in reducing the reject rate of the finished product, which was a stated objective of top management. The corrective action taken by the organization was not effective in addressing the root cause of the problem and preventing its recurrence.

•Option B: 7.1.4 - The factory environment is not suitably maintained to prevent dirty products. This option is correct because ISO 9001:2015 clause 7.1.4 requires the organization to determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. The organization did not ensure that the factory floor was clean and dry, which affected the quality of the products and increased the risk of nonconformity.

•Option C: 7.1.1 - The organization failed to provide the required resources to prevent nonconforming products. This option is correct because ISO 9001:2015 clause 7.1.1 requires the organization to determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system. The organization did not provide adequate collection baskets for the products ejecting from the moulding machines, which resulted in products falling onto the factory floor and becoming nonconforming.

The following options are not correct:

•Option D: 9.2.2 - Report IA202 contained a poorly worded nonconformity (NC 3). This option is not correct because ISO 9001:2015 clause 9.2.2 does not specify the requirements for the wording of nonconformities in internal audit reports. The nonconformity (NC 3) stated by the internal auditor was clear and relevant to the audit criteria and audit evidence. The issue is not with the report, but with the corrective action taken by the organization.

•Option E: 8.6 - Dirty products were released to the customer. This option is not correct because ISO 9001:2015 clause 8.6 requires the organization to implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met. The scenario does not indicate that the dirty products were released to the customer, but that they were recalled and repaired then returned to the customers. The issue is not with the release, but with the production process and the environment.

•Option F: 7.3 - Staff were not aware that products were falling onto the factory floor. This option is not correct because ISO 9001:2015 clause 7.3 requires the organization to ensure that the persons doing work under its control are aware of the quality policy, relevant quality objectives, their contribution to the effectiveness of the quality management system, and the implications of not conforming with the quality management system requirements. The scenario does not indicate that the staff were not aware of these aspects, but that the management did not provide adequate resources and environment for the staff to perform their work. The issue is not with the awareness, but with the management responsibility and resource provision.

•Option G: 10.2.1 - Conduct of an investigation was not sufficient to understand the cause of the nonconformity. This option is not correct because ISO 9001:2015 clause 10.2.1 requires the organization to react to the nonconformity and, as applicable, take action to control and correct it and deal with the consequences. The scenario indicates that the Quality Manager conducted an investigation into the reject rates and identified the cause of the nonconformity. The issue is not with the investigation, but with the corrective action taken by the management.

•Option H: 8.5.1 - Production operations were not properly controlled to avoid reject products. This option is not correct because ISO 9001:2015 clause 8.5.1 requires the organization to implement production and service provision under controlled conditions. The scenario indicates that the production operations were controlled by the moulding machines, which ejected the products into the collection baskets. The issue is not with the production operations, but with the size of the collection baskets and the condition of the factory floor.

References:

•ISO 9001:2015 Quality management systems - Requirements

•ISO 9001 Lead Auditor Course Material, Module 6: Reporting Audit Findings, Slide 14: Writing Nonconformity Statements

•ISO 9001 Lead Auditor Training Course - IRCA Certified, Section 6.2: Reporting Audit Findings

•Lead Auditor Exam Preparation Guide (EPG) Template - PECB, Section 3.2: Exam Content Outline, Subsection 3.2.1: Section 1 - Audit Fundamentals, Subsection 3.2.2: Section 2 - Audit Principles, Subsection 3.2.3: Section 3 - Audit Process, Subsection 3.2.4: Section 4 - Audit Competencies

Top management is responsible for establishing, implementing, and maintaining the quality policy. The quality policy provides a framework for setting quality objectives and must be compatible with the context of the organization and support its strategic direction. It should also provide a commitment to satisfy applicable requirements and to continuous improvement.

References: ISO 9001:2015, Clause 5.2

Nonconformity report

ISO 9001 Clause Number: 9.3.1 Nature of problem: Management review has not been conducted at the defined frequency. ISO 9001 requirement that has not been fulfilled: ISO 9001 - “Top management shall review the organization’s quality management system at planned intervals.” Evidence: The last management review took place nine months ago, and the previous one took place one year before the latest review. The planned interval is six months.

According to clause 8.3 of ISO 9001:2015, the organization should establish, implement, and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services. The design and development process should include the following activities:

•Determining the requirements for the products and services to be designed and developed, considering the intended use, the statutory and regulatory requirements, the customer and other relevant interested parties’ needs and expectations, and the potential risks and opportunities.

•Defining the design and development objectives, stages, responsibilities, and authorities, and ensuring the availability of adequate resources and competence.

•Implementing design and development controls, such as reviews, verification, and validation, to ensure that the design and development outputs meet the design and development inputs, and to identify and resolve any problems or errors.

•Maintaining documented information on the design and development inputs, outputs, reviews, verification, validation, and changes, and ensuring the traceability and conformity of the products and services to the requirements.

•Managing the design and development changes, by identifying, reviewing, and controlling them, and evaluating their effects on the products and services and the QMS.

In this case, the evidence statements that provide a meaningful audit trail for the design and development process are B, E, and F, because they relate to the design and development controls, the documented information, and the verification activities that are required by the standard. These options can help the auditor to assess the effectiveness and conformity of the design and development process, and to identify any nonconformities or opportunities for improvement. The other options are not directly related to clause 8.3, although they may be relevant for other aspects of the QMS, such as clause 7.2 on competence, clause 7.3 on awareness, clause 7.4 on communication, clause 8.2 on requirements for products and services, clause 8.4 on externally provided processes, products, and services, and clause 8.7 on control of nonconforming outputs. References: ISO 9001:2015, ISO 9001 Auditing Practices Group Guidance on Design and Development, ISO 9001 Clause 8.3 Design and development of products and services

In the context of ISO 9001:2015 audits, it is the audit team leader who holds the responsibility for assigning work to the audit team. According to ISO 19011:2018 (Guidelines for auditing management systems, which complements ISO 9001:2015), the audit team leader is responsible for the organization and direction of the audit, including assigning specific roles and responsibilities to audit team members. This includes preparation of the audit plan, leading the audit, and ensuring that each team member understands their tasks.

Sequence:

Stage 1 Audit

Stage 2 Opening Meeting

Interviews

Stage 2 Closing Meeting

Close-out of Stage 2 Audit Findings

Issue Certificate

Surveillance Audit

Follow-up Audit

To complete the sequence, you can drag and drop the options to the appropriate blank section.

Here is a brief explanation of each step:

Stage 1 Audit: This is the initial audit that aims to assess the readiness of the organization for the stage 2 audit. It involves reviewing the documentation of the quality management system, evaluating the scope and objectives of the audit, and identifying any major gaps or nonconformities34.

Stage 2 Opening Meeting: This is the meeting that marks the start of the stage 2 audit. It involves confirming the audit plan, the audit criteria, the audit scope, and the audit team. It also provides an opportunity for the auditee to ask any questions or raise any concerns34.

Interviews: This is the main activity of the stage 2 audit, where the audit team collects evidence by interviewing the personnel involved in the quality management system, observing the processes and activities, and examining the records and documents. The audit team uses various techniques, such as sampling, measurement, analysis, and evaluation, to verify the conformity and effectiveness of the quality management system345.

Stage 2 Closing Meeting: This is the meeting that marks the end of the stage 2 audit. It involves presenting the audit findings, the audit conclusions, and the audit report to the auditee. It also provides an opportunity for the auditee to provide feedback, ask questions, or dispute any findings34.

Close-out of Stage 2 Audit Findings: This is the process of verifying that the auditee has taken appropriate corrective actions to address any nonconformities or opportunities for improvement identified during the stage 2 audit. The audit team may request evidence or conduct a follow-up visit to confirm the effectiveness of the corrective actions34.

Issue Certificate: This is the process of issuing a certificate of conformity to the auditee, if the audit team is satisfied that the quality management system meets the requirements of the standard and that there are no major nonconformities or unresolved issues. The certificate is valid for a specified period, usually three years, and is subject to periodic surveillance audits34.

Surveillance Audit: This is the process of conducting periodic audits, usually once a year, to monitor the continued conformity and effectiveness of the quality management system. It involves reviewing the changes, improvements, and performance of the quality management system, and identifying any new nonconformities or opportunities for improvement34.

Follow-up Audit: This is the process of conducting an additional audit, usually in response to a significant change, a complaint, or a major nonconformity, to verify the impact and the corrective actions taken by the auditee. It may result in the suspension, withdrawal, or renewal of the certificate, depending on the outcome of the audit34.

 Responsibilities of the Audit Team Leader:ISO 19011:2018 (guidelines for auditing management systems), which supports the principles in ISO 9001:2015, specifies the responsibilities of an audit team leader. These responsibilities include:

Planning the audit and establishing effective communication between the audit team and auditee.

Ensuring that formal communication channels are agreed upon and followed.

Reporting the audit progress, significant findings, and any concerns to the auditee or audit client as necessary.

Managing the audit team and ensuring adherence to the defined objectives and scope.

 Analysis of Options:

A. Reporting unattainable audit objectives to the accreditation body:Incorrect. This is not the responsibility of the audit team leader. The accreditation body oversees the certification body and is not directly involved in specific audits. If objectives are unattainable, the audit team leader would report them to the audit client (the certification body), not the accreditation body.

B. Planning formal communication arrangements:Correct. This is one of the responsibilities of the audit team leader. They ensure auditees can communicate with auditors as needed during the audit process.

C. Confirming communication channels during the opening meeting:Correct. During the opening meeting, the audit team leader must establish clear communication protocols to ensure effective information exchange between the audit team and auditee.

D. Communicating progress, findings, and concerns:Correct. Keeping the auditee and audit client informed about progress and significant findings is a critical responsibility of the audit team leader to maintain transparency and ensure the audit objectives are met.

 Why Option A is Correct:The audit team leader does not have any obligation to report unattainable objectives to the accreditation body. Instead, they are responsible for communicating issues to the audit client (typically the certification body). The accreditation body operates at a higher level and is concerned with overseeing certification bodies, not individual audits.

 Relevant References:

ISO 19011:2018, Clause 6.4 (Conducting the Audit): Emphasizes the responsibilities of the audit team leader, including communication with the auditee and client.

ISO 9001:2015, Clause 9.2 (Internal Audit): Highlights the importance of planning and communication during audits, which is reflected in third-party audits as well.

According to clause 4.1 of ISO 9001:2015, the organization should determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended results of its quality management system. The organization should monitor and review these issues and update them as necessary. Although the standard does not explicitly require documented information of these issues, it does require documented information as evidence of the implementation of the actions taken to address risks and opportunities, as per clause 6.1. The organization should also retain documented information as evidence of the results of the monitoring, measurement, analysis and evaluation of its QMS, as per clause 9.1. Therefore, the auditor should not accept the legal compliance expert answering the question, as he is not the person responsible for the process and may not have the necessary competence or knowledge of the QMS. The auditor should also look for evidence that the actions resulting from the risk assessment had been taken, as this is a requirement of the standard and a way to verify the effectiveness of the QMS. The other options are not appropriate courses of action for the auditor, because they do not address the audit objective or criteria, or they may compromise the audit integrity or impartiality. For example, option B may not be feasible or reliable, as the Technical Manager may not be available or able to provide the necessary evidence by phone. Option C may cause unnecessary delay and inconvenience for the audit process and the auditee. Option E may not solve the problem, as the guide is not the main source of evidence or information for the audit. Option F may be disrespectful or unprofessional, as the consultant may have a legitimate role or interest in the audit. References: ISO 9001:2015, ISO 9001 Auditing Practices Group Guidance on Context of the Organization, ISO 9001 Auditing Practices Group Guidance on Audit Evidence

In ISO 9001:2015, the responsibility for managing the audit program lies with those overseeing the entire audit process rather than the Audit Team Leader. During the planning stage, before involving the Audit Team Leader, key actions for managing the audit program include:

1. Providing the Resources Needed: According to clause 7.1 (Resources), the audit program manager must ensure that the necessary resources are in place to conduct the audit effectively. This encompasses logistical support, personnel, and other required resources for the audit to proceed smoothly.

2. Reviewing Reports of Previous Audits: As per clause 9.2.2 (Internal Audit), it is essential to consider the results of previous audits to plan effectively for the upcoming audit. This helps identify areas that require particular attention, ensuring continuity and focusing on recurring issues or improvements since the last audit.

These actions ensure that the audit is thoroughly prepared and that there is continuity and focus on any areas that might need closer inspection. The other options, such as preparing the audit plan, assigning responsibilities, preparing checklists, and selecting the audit team members, generally fall under the duties of the Audit Team Leader once they are appointed and engaged in the planning process.

Clause 8.3.4.d of ISO 9001:2015 requires that design and development validation be performed to ensure that the resulting products or services meet the requirements for their specified application or intended use. Validation is critical to confirm that the product works as intended in real-world conditions.

In this case, Noitol omitted the design validation step approximately 50% of the time, which is a direct violation of Clause 8.3.4.d. Although they collect feedback after the fact, this is not a substitute for formal validation before the product is released. The nonconformity arises because the process of validation was neglected, not the recording of improvements or feedback.

Other options, such as documenting improvements (A) or issues with planning verification (B), are important but do not directly address the primary concern: the lack of consistent design validation before product release. Option D (8.6) concerns product release, but this nonconformity focuses on the validation stage, not just approval for release​.

To certify an organization's ISO 9001:2015-based Quality Management System (QMS) for the first time, the correct sequence of activities would be:

Establish the management system (already in place).

Supplier audit

Internal audit

Management review

Initial certification audit – stage 1

Initial certification audit – stage 2 (already in place).

This sequence follows the typical path for preparing and ensuring that a QMS is functioning as required, leading up to certification.

According to ISO 9001:2015, clause 9.2.2.e, the organization is required to retain documented information as evidence of the implementation of the audit programme and the audit results. This includes the records of the nonconformities identified during the internal audits and the corrective actions taken to address them. The organization is also required to verify the effectiveness of the corrective actions, as per clause 10.2.2.

Therefore, in the scenario given, the Quality Manager’s decision to automatically close any nonconformance over 3 years old without obtaining any confirmation from the relevant departments or verifying the effectiveness of the corrective actions is a clear violation of the requirements of clause 9.2.2.e. This indicates a lack of control and follow-up of the internal audit process, as well as a potential risk of recurrence or occurrence of the nonconformities in other areas. This also undermines the credibility and value of the internal audit programme, as well as the risk-based approach claimed by the Quality Manager.

Hence, the best course of action to take is D, to raise a nonconformance report against clause 9.2.2.e of ISO 9001, and to communicate the audit findings to the relevant management. The other options are either insufficient or irrelevant to address the issue, as they do not directly relate to the noncompliance with clause 9.2.2.e.

References:

ISO 9001:2015(en), Quality management systems — Requirements, clause 9.2.2 and 10.2.2

ISO 19011:2018(en), Guidelines for auditing management systems, clause 6.4.4 and 6.7.2

ISO 9001 Lead Auditor Training Course | IRCA Certified | BSI, section “Learning objectives”

ISO 9001 Lead Auditor Course Material | 3FOLD Education Centre, module 5 and 6

Based on the scenario provided, there is evidence of nonconformity with the requirements defined in:

C. Clause 7.5.1 Documented information - General: The scenario indicates that there is no formal process for informing users about updates to the SWIFT database, which suggests a lack of control over documented information. This could lead to users being unaware of important changes and not using the latest version of the software, which is required by the quality management system1.

E. Clause 7.5.3 Control of documented information: The Operations Director’s approach to updating the SWIFT database and the lack of communication to users about these updates indicate that the documented information is not adequately controlled. Allowing users to revert to earlier versions of the software at their discretion further suggests that the organization does not have a proper mechanism in place to ensure the integrity and suitability of documented information2.

These clauses are part of the ISO 9001:2015 standard, which requires organizations to have a systematic approach to controlling and managing documented information as part of their quality management system. The scenario described shows a casual approach to managing critical software updates, which could affect the organization’s ability to consistently meet customer and regulatory requirements.

 Understanding "Context of the Organization":The term "context of the organization" is defined in ISO 9001:2015 Clause 4.1, which states:

"The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system."

The definition emphasizes identifying both internal and external issues that influence the organization's approach to developing and achieving its objectives.

 Option Analysis:

Option A:Correct. This option aligns with the standard definition as it explicitly mentions the combination of internal and external issues that affect the organization’s approach to achieving its objectives, which is the essence of Clause 4.1.

Option B:Incorrect. The term "comparison of internal and external issues" does not reflect the ISO 9001 requirements. The standard does not require a comparison but rather an understanding of these issues.

Option C:Incorrect. Although it mentions "complexity," the focus of ISO 9001:2015 is on identifying relevant issues rather than the complexity of those issues.

Option D:Incorrect. This option mentions "coordination" and focuses only on the positive or negative effects. ISO 9001 requires identifying issues but does not emphasize coordination.

 Clause Reference and Relevance:ISO 9001:2015 requires organizations to understand their context because internal and external factors can influence the Quality Management System's effectiveness. Understanding this context helps in:

Addressing risks and opportunities (Clause 6.1).

Aligning the QMS with the organization’s strategic direction.

 Why A is Correct:"Combination of internal and external issues" captures the essence of Clause 4.1, making it the accurate definition of the context of the organization.

According to the guidance on conducting the audit closing meeting1, the audit team leader should provide a summary of the audit findings and conclusions, invite discussions, and agree on timelines for any corrective actions. The audit team leader should also be respectful, constructive, and objective when presenting the nonconformities, and avoid any personal or emotional comments. The audit team leader should also consider the impact of the disruptive event (such as the Covid-19 pandemic) on the auditee’s context, interested parties, and risks2, and acknowledge any good practices or improvements observed during the audit. Therefore, option D is the best option, as it follows the best practices for the closing meeting and allows the auditee to understand the nonconformities and their implications, and to participate in the analysis and resolution of the issues. Option A is not correct, as it is not respectful, constructive, or objective, and it does not invite any discussion or feedback from the auditee. It also assumes that the audit team leader has the authority to recommend the removal of the supplier from the approved list, which may not be the case. Option B is not correct, as it does not provide enough information or explanation to the auditee, and it does not allow any discussion or feedback from the auditee. It also does not follow the best practices for the closing meeting, such as providing a summary of the audit, acknowledging any good practices, and agreeing on timelines for corrective actions. Option C is not correct, as it does not involve the other managers who are responsible for the functions or processes that were audited, and who may have valuable input or information to share. It also does not follow the best practices for the closing meeting, such as providing a summary of the audit, inviting discussions, and agreeing on timelines for corrective actions. References: 1: Conducting the Audit Closing Meeting: Sharing the Results2: Auditing ISO 9001:2015 in the Context of a Disruptive Event.

Nonconformity report

ISO 9001 Clause Number: 8.5.4 Nature of problem: Cleaning and sanitising records are not available for every batch. ISO 9001 requirement that has not been fulfilled: ISO 9001 - “The organization shall implement planned arrangements, at appropriate stages, to verify that the product requirements have been met.” Evidence: 40 cleaning records are available for 63 batches.