Management System

Auditing:

How to Relax

When the Auditor ArrivesPresented by:

Monisha Mandal – Telesis Corporation

Lisa DuBrock – Radian Compliance, LLC

Sally Smoczynski – Radian Compliance, LLC

Agenda• Management System Auditing – Overview

• Internal Audits

• External Audits – 2nd party and 3rd party

• The Companies Perspective

• Relax

2

Management System Auditing

An Overview

3

Background• A requirement of every management system

standard.o ANSI/ASIS SPC.1 – Organizational Resilience – Clause A5.5

o ANSI/ASIS PSC.1 – Private Security Company Operations – Clause 10.5

o ISO 9001 – Quality Management Systems – Clause 8.2.2

• 3 types of auditingo 1st Party – Internal Auditing

o 2nd Party – Typically Supplier initiated

o 3rd Party – External Audit/Certification Audit

• 2 International Audit Standardso ISO 17011 – used by Certification Bodies/Registrars

o ISO 19011 – Used by both internal and external auditors

4

Requirements for Certification

• Internal Audito At least 1 full system effectiveness audit to the standard needs to be

completed prior to the stage 2 certification audit

o Most organizations initially elect to have 2 internal audits prior to

certification

• A documentation and readiness review

• An effectiveness review

• External Audito Always 2 audit events

o 1st event a readiness review. Is the organization ready to move onto

certification

o 2nd event – an effectiveness review. The words you are waiting to hear –

“You are recommended for certification’

5

Relax

6

ISO – It’s not about perfection:

Its about Continual Improvement

Internal Audits

Are you really doing what you say

you do?

7

Internal Audits• DEF. - Systematic, independent and documented

process for obtaining and objectively evaluating

evidence –do you do what you say.

• Conducted by employees or outside contractors

• KEY - competence and independence

• COMPETENCE

o How to Audit

o Understand the Organization

o Understand the Standard

• INDEPENDENCEo Can’t audit your own work

8

Internal Audits (Cont.)• Documented Process

o Required documentation

• Audit Schedule

• Audit Plan

• Opening meeting agenda/minutes

• Closing meeting agenda/minutes

• Audit Report –

o Non-conformities – Major, Minor and OFI’s

• Inputs to Continual Improvement and Management Review

• Timing and scheduling –2.5 – 3 times of the external audit

process

• Annual or more often–2-3 months prior to your surveillance audit

• Important – your corporate culture

9

Internal Audits (Cont.)• People involved

o Management Representative

o Senior Management

o Process Owners

o Process Executers

o Internal Auditor

• Internal Audit Proso potential issues exposed

o practice what you are going to say, and how to say it

o Not a ‘Gotcha Audit’

• Internal Audit Conso Potentially Time Consuming

o Hinges on Knowledge and Competency of auditor

10

Relax

11

Internal Auditor – Partner

in your Management System

External Audit

2nd Party and 3rd Party

12

2nd Party Audits• A 2nd party audit is an external audit generally

performed by a customer or supplier or by others on their

behalf.

• Companies are subject to 2nd party audits if they are

part of partner programs such as Cisco or Microsoft.

• You might provide services to a Customer who has

included specific requirements within the contract that

you must adhere to. Examples may be certain

information security requirements, controlled procedures

or business continuity requirements

• Continued audits are determined by the rules of

engagement with that customer or supplier

13

3rd Party Audits• The 3rd party audit is also an external audit but is

generally performed by independent organizations

such as registrars (certification bodies) or regulators.

• 3rd party audits are auditing your organization to a

set of requirements, such as an ISO standard or

other auditable framework.

• In most cases, 3rd party audits result in your

organization getting a certification or a statement

of compliance.

• 3rd party audit are generally time based and may

require annual review and re-certifications after 3

years.

14

Relax• By the time the audit is scheduled, your

organization has prepared itself accordingly and

have followed the terms of the requirements to the

best of your ability.

• Practice audit scenarios before the “real” audit.

Learn from the internal audits.

• In a continual improvement model, it is all about

improvement, so if there are deficiencies, making

them better is encouraged and good practice.

15

‘We all need people who will give us feedback. That's how we improve.

~Bill Gates

The Companies Perspective

16

Telesis Corporation

• Celebrating 16 years

• Government contractor

• Strategic Business Areas

o Engineering Services for Fielded Systems

o New Equipment Training and FSR Cross Training

o Help Desk Solutions and Services

o Information Technology Services

o Cybersecurity Services

17

Why Audit? An Organization perspective

18

Why Audit? An Organization perspective

o Why does any company want to get into a

certification or an audit

• Market driven

• Approvals / Contracts

• Regulatory issues- compliance. e.g. Accurate posting of

jobs on State Boards

• Accountability - Professional reputation and credibility

• Process Improvement

19

Confusing Start with ISO Certification….!!!!

o ISO – International Organization of Standards

At ISO, they only develop International

Standards.

They DO NOT CERTIFY OR ACCREDIT

o IAF – Internal Accreditation Forum

The IAF is the world association of Conformity Assessment

Accreditation Bodies

o CB – Certifying Body- If accredited with IAF or the national

accreditation body

o ANAB- The ANSI-ASQ National Accreditation Board provides the

accreditation for the certifying body in US. ANAB is a signatory of

the International Accreditation Forum (IAF)

o APMG – Same as ANAB

o ANSI- American National Standards Institute

o Many Others……..

20

Confusing Start with ISO Certification….!!!!

HELP!!!!

INTERNAL AUDITOR PARTNERSHIP

With RADIAN COMPLIANCE

21

Selection of Auditor or Certification Body

• General Factors o Reputation in Industry

o Establishment of credibility

o Pricing

o Number of certifications

• Ability of a certifying body to provide a combined

audit of several certificates

o Customer Service

• Model for communication with the client

22

Selection of Auditor or Certification Body

23

How do organization's select their Certifying Bodies?Source: Study by www. JAS-ANZ.org

Experience with some ISO Registrars and Auditors

• Consistency of Auditors and Audit

o Auditor preferences, scope creep

• Transparency of the process

o Certifying body - accreditation requirements from the

accreditation body (ANAB and APMG) – adherence to

Management system certification - ISO/IEC 17021

o E.g. 1st year audit requirement

• Communication

o Lack of communication (registrar and auditor)

o Focus of the communication on new sales rather than existent

certification

• Responsiveness to the needs of the organization

o Audit Timelines

o Escalation

24

Time for the AuditAudit Anxiety??...Stress??

WHY?

Prepare and Plan with a Checklist

1. Know your services.

2. Learn where to locate the correct files, records and documents –

Clean project space to find files and records effectively

3. Know your Quality Policy and Objectives

4. Answer questions accurately. Stop speaking after you answer.

Answer truthfully.

5. Ensure full knowledge of your non conformities with their

corrective actions

6. Continuously improve not just before an audit

7. Don’t argue with auditor but put your point across with evidence

and documentation.

8. Listen to the advice of the auditor

25

Expectations from external auditor

Source: Study by www. JAS-ANZ.org26

TELESIS Positive Audit experiences

• Positive and Negative aspects both when auditing

• Provided us as clients with the information to make

improvements

• Shift in organization from Reactive activities to

Proactive activities

• Assessed compliance against the organization’s

documented system

• Process oriented organization

ISO Audits help us achieve our tag line……

27

28

Questions?

How to contact US

29

Monisha Mandal

Corporate Compliance and

Quality Manager

Telesis Corporation

Ph.#: 571 267 2931

Email:

monisha.mandal@telesishq.com

Sally Smoczynski

Managing Partner

Radian Compliance

Ph.#: 630-728-7181

Ssmoczynski@Radiancompliance.com

Lisa DuBrock

Managing Partner

Radian Compliance

Ph.# 847-997-2032

ldubrock@radiancompliance.com

Thank you to ASIS

Standards and

Guidelines