ISO-9001-Lead-Auditor QMS ISO 9001:2015 Lead Auditor Exam Questions and Answers

A screenshot of a computer Description automatically generated

According to the ISO 9000:2015 - Quality management systems — Fundamentals and vocabulary, correction is defined as “action to eliminate a detected nonconformity”. A nonconformity is defined as “non-fulfilment of a requirement”. Therefore, the process of modifying a non-conforming product to bring it within acceptance criteria is a correction, as it eliminates the non-fulfilment of the product specification. The other options are not correct, as they have different definitions and purposes:

•Concession: permission to release or use a nonconforming product, service or process

•Corrective action: action to eliminate the cause of a nonconformity and to prevent recurrence

•Preventive action: action to eliminate the cause of a potential nonconformity or other undesirable potential situation

References: ISO 9000:2015 - Quality management systems — Fundamentals and vocabulary, ISO 9001 nonconforming product: How to understand dispositions - Advisera

The quality system failed to control the laundry services provided for customers in five shops. The equipment used was not capable of consistently producing the required service.

The audit team leader should deal with this situation in a professional and ethical manner, while maintaining the integrity and credibility of the audit process and the audit findings. The audit team leader should also try to resolve the conflict with the Quality Manager in a constructive and respectful way, without compromising the audit objectives or the audit team’s independence and impartiality. According to the ISO 9001 Lead Auditor Reference Materials guides and documents, the possible actions that the audit team leader might take are:

•A. Insist that the nonconformities must stand since they have been agreed by the team from other evidence gathered. This action is consistent with the principle of evidence-based approach, which states that the audit team should collect and verify information that is appropriate, sufficient, and reliable to support the audit findings and conclusions. The audit team leader should explain to the Quality Manager that the nonconformities are not based solely on the photographs, but on other audit evidence that corroborates them. The audit team leader should also remind the Quality Manager that the nonconformities are subject to review and approval by the certification body, and that any attempt to influence or interfere with the audit results would be considered a breach of the audit agreement and the certification rules.

•D. State that the auditor will take no further part in the audit and all his photographs will be deleted. This action is consistent with the principle of confidentiality, which states that the audit team should exercise discretion in the use and protection of information acquired during the audit. The audit team leader should acknowledge that the auditor’s behavior was inappropriate and unprofessional, and that he violated the audit rules and the auditee’s rights. The audit team leader should apologize for the inconvenience and the discomfort caused by the auditor, and assure the Quality Manager that the auditor will be removed from the audit team and that his photographs will be erased from his phone and any other device or media. The audit team leader should also inform the auditor of his misconduct and the consequences, and report the incident to the audit program manager and the certification body.

•F. Advise the Quality Manager that he, as audit team leader, needs to speak to the auditor about the situation and he will report back to the Quality Manager once this is done. This action is consistent with the principle of communication, which states that the audit team should exchange information with the auditee in a timely, open, honest, and respectful manner. The audit team leader should express his concern and his willingness to address the issue with the auditor, and ask for the Quality Manager’s patience and cooperation. The audit team leader should also explain that the audit process is not finished yet, and that the Closing meeting is an opportunity to present and discuss the audit findings and conclusions, and to seek feedback and clarification from the auditee. The audit team leader should then speak to the auditor privately, and follow the steps described in action D.

The other options are not appropriate or effective ways to deal with this situation, because they either:

•B. Delay the Closing meeting until the audit team leader has consulted his audit program manager at Head Office. This action would disrupt the audit schedule and the audit plan, and create unnecessary delays and costs for both the audit team and the auditee. It would also show a lack of leadership and decision-making skills from the audit team leader, and undermine his authority and credibility. The audit team leader should be able to handle the situation on site, and consult his audit program manager only if the situation escalates or becomes unmanageable.

•C. Advise the Quality Manager that the auditor will be reported to Head Office. This action would escalate the conflict and create a hostile and defensive atmosphere between the audit team and the auditee. It would also imply that the audit team leader is not capable or willing to resolve the issue himself, and that he is threatening or punishing the auditee for raising a legitimate concern. The audit team leader should try to defuse the tension and restore the trust and the rapport with the Quality Manager, and report the auditor to Head Office only after the audit is completed and the audit report is submitted.

•E. Apologise for the situation and ensure the Quality Manager that all photographs will be deleted during the Closing meeting. This action would not address the root cause of the problem, and would not prevent the auditor from taking more photographs or using them for other purposes. It would also expose the audit team and the auditee to unnecessary risks and liabilities, and compromise the confidentiality and the security of the audit information. The audit team leader should delete the photographs as soon as possible, and not wait until the Closing meeting.

References: ISO 9001:2015, ISO 19011:2018, PECB Certified ISO 9001 Lead Auditor, Common Audit Problems and How to Deal with Them, The Auditor’s Guide to Conflict Resolution, Conflict Resolution in your Audit Career, How to Be a Good Auditor as a Team Leader

According to the guidance on conducting the audit closing meeting1, the audit team leader should provide a summary of the audit findings and conclusions, invite discussions, and agree on timelines for any corrective actions. The audit team leader should also be respectful, constructive, and objective when presenting the nonconformities, and avoid any personal or emotional comments. The audit team leader should also consider the impact of the disruptive event (such as the Covid-19 pandemic) on the auditee’s context, interested parties, and risks2, and acknowledge any good practices or improvements observed during the audit. Therefore, option D is the best option, as it follows the best practices for the closing meeting and allows the auditee to understand the nonconformities and their implications, and to participate in the analysis and resolution of the issues. Option A is not correct, as it is not respectful, constructive, or objective, and it does not invite any discussion or feedback from the auditee. It also assumes that the audit team leader has the authority to recommend the removal of the supplier from the approved list, which may not be the case. Option B is not correct, as it does not provide enough information or explanation to the auditee, and it does not allow any discussion or feedback from the auditee. It also does not follow the best practices for the closing meeting, such as providing a summary of the audit, acknowledging any good practices, and agreeing on timelines for corrective actions. Option C is not correct, as it does not involve the other managers who are responsible for the functions or processes that were audited, and who may have valuable input or information to share. It also does not follow the best practices for the closing meeting, such as providing a summary of the audit, inviting discussions, and agreeing on timelines for corrective actions. References: 1: Conducting the Audit Closing Meeting: Sharing the Results2: Auditing ISO 9001:2015 in the Context of a Disruptive Event.

A white background with black text Description automatically generated

The purpose of a Stage 1 third-party audit is to determine an organization’s readiness for their Stage 2 Certification Audit. During the Stage 1, the auditor will review the organization’s management system documented information, evaluate the site-specific conditions, and have discussions with personnel. The objective is to assess the alignment of the organization’s design with ISO 9001 requirements and to identify any areas of concern that could be classified as a nonconformance during the Stage 2 Audit. The auditor will also use the Stage 1 Audit to complete Stage 2 Audit planning, including a review of the allocation of resources and details for the next phase of the audit. Therefore, the option that best describes the purpose of a Stage 1 third-party audit is A, to determine the auditees understanding of ISO 9001. The other options are not correct, as they are not the main focus of a Stage 1 audit:

•B. To get to know the organization’s customers: This is not the purpose of a Stage 1 audit, as the auditor is not interested in the specific details of the organization’s customers, but rather in the organization’s ability to meet customer and applicable statutory and regulatory requirements.

•C. To learn about the organization’s procurement processes: This is not the purpose of a Stage 1 audit, as the auditor is not interested in the specific details of the organization’s procurement processes, but rather in the organization’s ability to control externally provided processes, products and services.

•D. To introduce the audit team to the client: This is not the purpose of a Stage 1 audit, as the auditor is not there to make introductions, but rather to conduct a preliminary examination of the organization’s compliance with ISO 9001 standards.

References: What is the difference between Stage 1 and Stage 2 Audits? - ISO Update, The ISO 9001 Audit Process Explained | ISO Explained, What is an ISO Stage 2 Audit? — RiskOptics - Reciprocity

The activities that are specifically required by ISO 17021-1 as part of third-party (Certification Body) surveillance audit processes are:

•Option A: Audit use of certification marks on marketing materials. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to audit the client’s use of marks and/or any other reference to certification, as applicable, to ensure conformity with the certification requirements.

•Option B: Review changes to the QMS since last visit. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to review any changes affecting the client’s quality management system and its ability to continue to fulfil the requirements of the standard used for certification.

•Option C: Confirm effectiveness of internal audit and management review. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to confirm the continuing effectiveness of the client’s quality management system, including the effectiveness of the internal audit and management review processes.

•Option F: Review the status of previously raised findings and audit effectiveness of any outstanding findings. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to review the status of findings and any corrective actions taken by the client in response to previous audits, and to verify the effectiveness of the implemented corrective actions.

•Option H: Verify legal compliance. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to verify the client’s compliance with applicable statutory and regulatory requirements related to the scope of certification.

•Option I: Handling of customer complaints since last visit. This option is correct because ISO 17021-1:2015 clause 9.6.2.2 requires the certification body to review the client’s handling of customer complaints related to the certified activities since the last audit.

The following options are not correct:

•Option D: Complete a full document review of the quality management system. This option is not correct because ISO 17021-1:2015 clause 9.6.2.2 does not require the certification body to complete a full document review of the quality management system during surveillance audits. A full document review is only required during the initial certification audit or when there are significant changes to the quality management system or the certification requirements.

•Option E: Failing to meet financial responsibilities. This option is not correct because ISO 17021-1:2015 clause 9.6.2.2 does not require the certification body to audit the client’s financial responsibilities during surveillance audits. The certification body may have contractual arrangements with the client regarding the payment of fees, but this is not part of the surveillance audit process.

•Option G: Review the calibration status of the instrumentation. This option is not correct because ISO 17021-1:2015 clause 9.6.2.2 does not require the certification body to review the calibration status of the instrumentation during surveillance audits. The certification body may audit the client’s monitoring and measuring resources as part of the quality management system requirements, but this is not a specific activity required by ISO 17021-1.

•Option J: Conduct a minimum number of annual surveillance audits during the certification period. This option is not correct because ISO 17021-1:2015 clause 9.6.2.2 does not require the certification body to conduct a minimum number of annual surveillance audits during the certification period. The certification body may determine the frequency and duration of surveillance audits based on the risk and performance of the client, but this is not a specific activity required by ISO 17021-1.

References:

•ISO 17021-1:2015 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

•ISO 9001 Lead Auditor Course Material, Module 7: Audit Follow-up and Surveillance, Slide 8: Surveillance Audit

•ISO 9001 Lead Auditor Training Course - IRCA Certified, Section 7.2: Audit Follow-up and Surveillance

•Lead Auditor Exam Preparation Guide (EPG) Template - PECB, Section 3.2: Exam Content Outline, Subsection 3.2.1: Section 1 - Audit Fundamentals, Subsection 3.2.2: Section 2 - Audit Principles, Subsection 3.2.3: Section 3 - Audit Process, Subsection 3.2.4: Section 4 - Audit Competencies

According to the definition in ISO 9000, a nonconformity is “non-fulfillment of a requirement”. There are three parts to a well-documented nonconformity: the audit evidence to support auditor findings; a record of the requirement against which the nonconformity is detected; and the statement of nonconformity1. In this case, the audit evidence is the dispatch records that show the same batch number of the product being delivered by two different trucks at different times. The requirement is the procedure P-02 Rev.3 that says that trucks should carry a complete batch. The statement of nonconformity is that the batch 33555 was delivered split in two different trucks (011 and 025), which does not conform to the procedure. Therefore, option C best describes the identified nonconformity, as it includes all three parts of a well-documented nonconformity. Option A is not correct, as it does not state the audit evidence or the requirement. Option B is not correct, as it does not specify the audit evidence or the statement of nonconformity. Option D is not correct, as it does not match the audit evidence or the requirement. References: 1: ISO 9001 Auditing Practices Group Guidance on Nonconformity - Documenting.

According to ISO 19011:2018, clause 6.7, the audit follow-up is the process of verifying the completion and effectiveness of corrective actions taken by the auditee as a result of an audit. The audit follow-up can include two main activities:

• Verifying the effectiveness of the implemented corrective actions: this means checking whether the actions taken by the auditee have addressed the root causes of the nonconformities and prevented their recurrence or occurrence in other areas. The verification can be done by reviewing documents, records, data, or other evidence provided by the auditee, or by conducting a follow-up audit on site or remotely.
• Verifying corrections taken to fix the reported non-conformities: this means checking whether the auditee has corrected the nonconformities identified during the audit and eliminated their immediate effects. The verification can be done by reviewing documents, records, data, or other evidence provided by the auditee, or by conducting a follow-up audit on site or remotely.

The audit follow-up can be conducted as a separate audit or as part of a subsequent audit, depending on the audit programme, the audit objectives, the audit criteria, the audit scope, the audit risks, and the audit findings. The audit follow-up should be planned and conducted in accordance with the same principles and processes as the initial audit, and the results should be documented and reported accordingly. References:

• ISO 19011:2018(en), Guidelines for auditing management systems, clause 6.7
• ISO 19011 Management Systems Audit Checklist | Process Street, task 6.7.1 and 6.7.2
• Conducting the Audit Follow-Up: When to Verify - The Auditor, section “Conducting the audit follow-up”

A first-party audit is an internal audit conducted by auditors who are employed by the organization being audited but who have no vested interest in the audit results of the area being audited1. The purpose of a first-party audit is to assess the conformity of the organization’s quality management system to the requirements of ISO 9001 and to identify opportunities for improvement2. Therefore, the two auditors who would not participate in a first-party audit are:

•A. An auditor employed by an external consultancy organization: This auditor is not employed by the organization being audited, and therefore does not qualify as a first-party auditor. This auditor may be hired to conduct a second-party audit (if the external consultancy organization is a customer or supplier of the organization being audited) or a third-party audit (if the external consultancy organization is a certification body or registrar).

•F. An auditor from a customer: This auditor is not employed by the organization being audited, and therefore does not qualify as a first-party auditor. This auditor may be hired to conduct a second-party audit, as a customer is an interested party that has specific requirements for the organization being audited.

The other options are not correct, as they could participate in a first-party audit, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited:

•B. An auditor from an interested party: This auditor could be a first-party auditor, as long as the interested party is within the organization being audited. For example, an auditor from the finance department could audit the production department, as long as they are not involved in the production process or affected by its outcomes.

•C. An auditor trained in-house: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. The source of the auditor’s training is not relevant for determining the type of audit, as long as the auditor is competent and qualified to perform the audit.

•D. An auditor trained in the IRCA scheme: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. The IRCA scheme is a professional certification scheme for auditors of management systems, which provides recognition of the auditor’s competence and credibility3. However, being trained in the IRCA scheme does not determine the type of audit, as long as the auditor is competent and qualified to perform the audit.

•E. An auditor certified by IRCA: This auditor could be a first-party auditor, as long as they are employed by the organization being audited and have no vested interest in the audit results of the area being audited. Being certified by IRCA means that the auditor has met the requirements of the IRCA scheme and has demonstrated their competence and credibility as an auditor of management systems3. However, being certified by IRCA does not determine the type of audit, as long as the auditor is competent and qualified to perform the audit.

References: First Party Audits: The 5 Steps to Success - Sync Resource Inc, ISO 9001 Auditing Practices Group, IRCA - International Register of Certificated Auditors

The table below shows the possible matching of the ISO 9001 Clause 8.3 extract to the audit evidence.

Table

Audit evidence

ISO 9001 Clause 8.3 extract

Half of all new products launched in the past 12 months were late. The NPD Manager explains he has not got enough people on his team to cope with the demand for new products.

“8.3.2 e) … internal … resource needs for the design and development of products …”

The NPD Manager explains many changes are made to cosmetic formulations during product development owing to retailer feedback. Only when confirmed by the retailer is the agreed formulation documented on SWIFT.

“8.3.5 … retain documented information …”

The NPD Manager explains that the customer confirms their approval to proceed with a new formulation by email. These emails are kept on SWIFT.

“8.3.6 … retain documented information …”

The NPD Manager shows you evidence of consumer trials that are carried out for some new products prior to full-scale launch.

“8.3.4 d) … conducted to ensure that the resulting products and services meet the requirements …”

The NPD Manager explains that an approved external laboratory is used to perform shelf-life stability trials on some formulations during product development.

“8.3.2 e) … external … resource needs for the design and development of products …”

According to ISO 19011:2018, clause 6.3.2, an audit plan should include the following information:

• The audit objectives, scope, and criteria
• The audit team members and their roles and responsibilities
• The audit schedule, including the sequence and timings of audit activities, such as opening meeting, document review, interviews, observations, closing meeting, etc.
• The expected time and duration of each audit activity and location
• The name and contact details of the auditee’s representative and other relevant parties
• The allocation of appropriate resources to support the audit activities
• The audit methods and techniques to be used, such as interviews, observations, sampling, etc.
• The audit documents and records to be prepared and retained
• The audit language and communication methods
• The audit risks and opportunities and how to address them
• The audit follow-up arrangements, if applicable

Therefore, the correct answer is D and F, as they are essential elements of an audit plan. The other options are either irrelevant or optional for an audit plan. References:

• ISO 19011:2018(en), Guidelines for auditing management systems, clause 6.3.2
• ISO 19011: Guidelines for Auditing Management Systems | ASQ, section “Making audit arrangements”
• ISO 19011 Management Systems Audit Checklist | Process Street, task 6.3.2

Nonconformity report

ISO 9001 Clause Number: 8.5.4 Nature of problem: Cleaning and sanitising records are not available for every batch. ISO 9001 requirement that has not been fulfilled: ISO 9001 - “The organization shall implement planned arrangements, at appropriate stages, to verify that the product requirements have been met.” Evidence: 40 cleaning records are available for 63 batches.