My Reading on ASQ CQA HB Part I-IA~IE-s
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>My</str<strong>on</strong>g> <str<strong>on</strong>g>Reading</str<strong>on</strong>g> <strong>on</strong> <strong>ASQ</strong> <strong>CQA</strong><br />
The Handbook <strong>Part</strong> 1~(IA-IE)<br />
<str<strong>on</strong>g>My</str<strong>on</strong>g> Pre-exam Self Study Notes<br />
6 th September 2018~9 TH September 2019<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
SR-71A<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
闭 门 练 功<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The Magical Book of <strong>CQA</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
闭 门 练 功<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang<br />
Fi<strong>on</strong> Zhang at Shanghai<br />
4 th September 2018
<strong>ASQ</strong> Missi<strong>on</strong>:<br />
The American Society for Quality advances<br />
individual, organizati<strong>on</strong>al, and community<br />
excellence worldwide through learning, quality<br />
improvement, and knowledge exchange.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
BOK<br />
Knowledge<br />
Percentage Score<br />
I. Auditing Fundamentals (30 Questi<strong>on</strong>s) 20%<br />
II. Audit Process (60 Questi<strong>on</strong>s) 40%<br />
III. Auditor Competencies (23 Questi<strong>on</strong>s) 15.3%<br />
IV. Audit Program Management and Business Applicati<strong>on</strong>s<br />
(15 Questi<strong>on</strong>s)<br />
10%<br />
V. Quality Tools and Techniques (22 Questi<strong>on</strong>s) 14.7%<br />
150 Questi<strong>on</strong>s 100%<br />
https://asq.org/cert/resource/docs/cqa_bok.pdf<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
C<strong>on</strong>tent:<br />
• <str<strong>on</strong>g>My</str<strong>on</strong>g> <str<strong>on</strong>g>Reading</str<strong>on</strong>g> <strong>on</strong> <strong>ASQ</strong> Handbook<br />
1. IA. Chapter 1<br />
2. IB. Chapter 2<br />
3. IC. Chapter 3<br />
4. ID. Chapter 4<br />
5. IE. Chapter 5<br />
6. To be c<strong>on</strong>tinues.<br />
• Thanks<br />
http://www.gbv.de/dms/zbw/728414511.pdf<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Foreword<br />
Change is the <strong>on</strong>ly c<strong>on</strong>stant, and changes to the audit professi<strong>on</strong> c<strong>on</strong>tinue in order to improve effectiveness<br />
and efficiency and to adjust to changes in technology. We are no l<strong>on</strong>ger just process and system auditors rather,<br />
members of our professi<strong>on</strong> are valued teammates, adding fresh eyes and organizati<strong>on</strong>al expertise to the<br />
wealth of tools available to management. Management system standards such as ISO 9000- based<br />
management systems are now viewed as starting points for organizati<strong>on</strong>al excellence. <strong>ASQ</strong> Audit Divisi<strong>on</strong><br />
members are no l<strong>on</strong>ger c<strong>on</strong>sidered compliance police. Rather, our membership has evolved to meet the<br />
challenges of the new millennium, just as Norm Frank predicted in his foreword to the sec<strong>on</strong>d editi<strong>on</strong> of this<br />
handbook. We are no l<strong>on</strong>ger just auditors- we are assessors, and our chosen discipline has grown to include<br />
advising management <strong>on</strong> best practices. We are teachers in the true sense of the word. This editi<strong>on</strong> of The<br />
<strong>ASQ</strong> Auditing Handbook reflects those changes. Subject- matter experts skilled in the audit professi<strong>on</strong> have<br />
grown the Body of Knowledge (BoK), working in tandem with the <strong>ASQ</strong> Certificati<strong>on</strong> Department, and this book<br />
reflects the latest revisi<strong>on</strong>. Teams of <strong>ASQ</strong> Certified Quality Auditors (<strong>CQA</strong>s), working <strong>on</strong> your behalf, met at<br />
<strong>ASQ</strong> headquarters and volunteered l<strong>on</strong>g hours to ensure that the BoK, reflected herein, represents generally<br />
accepted, world- class audit practices. C<strong>on</strong>tributors to this book, also subject- matter experts, volunteered their<br />
time to ensure that the excellence of the new BoK is scholastically available to audit professi<strong>on</strong>als the world<br />
over.<br />
The words thank you d<strong>on</strong>’t begin to express my appreciati<strong>on</strong> to the <strong>ASQ</strong> Certificati<strong>on</strong> staff, the <strong>CQA</strong>s involved<br />
in updating the BoK, the Audit Divisi<strong>on</strong> members who volunteer to manage the certificati<strong>on</strong> program, the <strong>CQA</strong>s<br />
who meet every year to write test questi<strong>on</strong>s, and the fine authors who c<strong>on</strong>tributed to the latest editi<strong>on</strong> of this<br />
book. This book has become the text of choice for candidates sitting for the <strong>CQA</strong> examinati<strong>on</strong>. The exam is<br />
written such that the handbook is a major source of informati<strong>on</strong> needed to attain the <strong>CQA</strong> credential. Enjoy our<br />
latest editi<strong>on</strong>, and use the informati<strong>on</strong> to grow your expertise. The path leading from compliance auditing to<br />
system assessing is great, but the rewards are worth the effort. I think you’ll find this book to be an invaluable<br />
resource to help you al<strong>on</strong>g that path.<br />
George Callender<br />
Chair, <strong>ASQ</strong> Audit Divisi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Notes to the Reader<br />
This handbook supports the quality auditor BoK, developed for the <strong>ASQ</strong> <strong>CQA</strong> program. The quality audit BoK<br />
was revised in 2012. The fourth editi<strong>on</strong> addresses new and expanded BoK topics, comm<strong>on</strong> auditing (quality,<br />
envir<strong>on</strong>mental, safety, and so <strong>on</strong>) methods, and process auditing. The handbook is designed to provide<br />
practical guidance for system and process auditors. Practiti<strong>on</strong>ers in the field provided c<strong>on</strong>tent, example audit<br />
situati<strong>on</strong>s, stories, and review comments as the handbook evolved. New to the fourth editi<strong>on</strong> are the topics of<br />
comm<strong>on</strong> and special causes, outliers, and risk management tools. Besides the new topics, many current topics<br />
have been expanded to reflect changes in auditing practices since 2004 and ISO 19011 guidance, and they<br />
have been rewritten to promote the comm<strong>on</strong> elements of all types of system and process audits (quality,<br />
envir<strong>on</strong>mental, safety, and health). The text is aligned with the BoK for easy cross- referencing. We hope that<br />
use of this handbook will increase your understanding of the auditing BoK.<br />
Keywords:<br />
• (1) comm<strong>on</strong>, (2) methods, and (3) process auditing<br />
• Quality tools: comm<strong>on</strong> and special causes, outliers 局 外 人 , and risk management tools<br />
• audits (quality, envir<strong>on</strong>mental, safety, and health).<br />
(1) comm<strong>on</strong>, (2)<br />
methods, and (3)<br />
process auditing<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The Use<br />
The handbook can be used by new auditors to gain an understanding of auditing. Experienced<br />
auditors will find it to be a useful reference. Audit managers and quality managers will use the<br />
handbook as a guide for leading their auditing programs.<br />
The handbook will also be used by trainers and educators as source material for teaching the<br />
fundamentals of auditing. It is not designed as a stand- al<strong>on</strong>e text to prepare for the <strong>ASQ</strong> <strong>CQA</strong><br />
exam. As with all <strong>ASQ</strong> certificati<strong>on</strong> activities, you are encouraged to work with your local secti<strong>on</strong><br />
or the Quality Audit Divisi<strong>on</strong> for preparati<strong>on</strong>.<br />
The <strong>ASQ</strong> Auditing Handbook, when used in c<strong>on</strong>juncti<strong>on</strong> with other published materials, is<br />
appropriate for refresher courses, and we hope that trainers will use it in that manner. The<br />
handbook c<strong>on</strong>tains informati<strong>on</strong> to support all aspects of the <strong>CQA</strong> BoK and is not limited to what<br />
new auditors need to know. Hence, the amount of material in each part of the handbook is not<br />
directly proporti<strong>on</strong>al to exam emphasis. The <strong>CQA</strong> exam is designed to test a candidate’s basic<br />
knowledge of quality auditing. All the informati<strong>on</strong> in the handbook is important, but those<br />
preparing for the <strong>CQA</strong> exam should spend more time <strong>on</strong> their weakest areas and <strong>on</strong> those parts<br />
of the BoK receiving more emphasis <strong>on</strong> the exam.<br />
The number of questi<strong>on</strong>s and the percentage of <strong>CQA</strong> exam questi<strong>on</strong>s are indicated at the start<br />
of each part of the handbook.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The C<strong>on</strong>tents<br />
The handbook is organized to be in alignment with the <strong>CQA</strong> BoK. We have included the BoK at the back of the<br />
handbook as an appendix. Since many c<strong>on</strong>cepts and practices of process and system auditing are still evolving,<br />
the BoK will be revised from time to time. As changes occur, the handbook must also be revised to be current.<br />
Terms and definiti<strong>on</strong>s are addressed throughout the text. Definiti<strong>on</strong>s are taken from ISO 19011:2011<br />
(Guidelines for auditing management systems ) and ISO 9000:2005, with definiti<strong>on</strong>s from the former<br />
superseding the latter. Definiti<strong>on</strong>s have underg<strong>on</strong>e extensive peer review and are accepted worldwide.<br />
However, even the definiti<strong>on</strong>s of audit terms c<strong>on</strong>tinue to evolve in order to meet the needs of the users of the<br />
standard. The <strong>ASQ</strong> Auditing Handbook represents generally accepted audit practices for both internal and<br />
external applicati<strong>on</strong>s. Thus, it may not depict 描 述 the best practice for every situati<strong>on</strong>.<br />
The handbook uses generic terms to support broad principles. For clarity, specific industry examples and<br />
stories from <strong>CQA</strong>s are sometimes used to explain a topic in the BoK. The stories, depicted as sidebars, are a<br />
way for auditors to share their experiences. Industry examples incorporated into the text and presented in the<br />
appendices are not intended to be all-inclusive and representative of all industries. We are pleased to<br />
incorporate examples shared by audit practiti<strong>on</strong>ers as a means to add value to the text. Needless to say, this<br />
work cannot address the most appropriate practice for every industry or organizati<strong>on</strong>. In some cases <strong>CQA</strong><br />
informati<strong>on</strong> needs are the same as other certified professi<strong>on</strong>al needs. Several secti<strong>on</strong>s in <strong>Part</strong> V, ―Quality Tools<br />
and Techniques,‖ are the same as similar secti<strong>on</strong>s for certified manager of quality. All secti<strong>on</strong>s and chapters are<br />
clearly marked and referenced. This publicati<strong>on</strong>, which describes audit methods and their applicati<strong>on</strong>, is not<br />
intended to be used as a nati<strong>on</strong>al or internati<strong>on</strong>al standard, although it references many existing standards.<br />
The c<strong>on</strong>venti<strong>on</strong>s for writing standards and using the term shall to mean a requirement and should to mean a<br />
guideline do not apply to The <strong>ASQ</strong> Auditing Handbook.<br />
Keywords:<br />
• Shall, should<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Who Wrote It<br />
The <strong>CQA</strong>s who supplied informati<strong>on</strong> for the handbook represent a broad spectrum of organizati<strong>on</strong>s in the<br />
United States and around the world. More than 120 individuals c<strong>on</strong>tributed material for the first, sec<strong>on</strong>d, third,<br />
and fourth editi<strong>on</strong>s. Input from members and a number of published texts were also used to create and develop<br />
The <strong>ASQ</strong> Auditing Handbook. It represents internal and external audits in a variety of product and service<br />
industries, regulated and n<strong>on</strong>-regulated. For each editi<strong>on</strong>, a developmental editor gathered material to address<br />
the BoK topics and issued a manuscript to be reviewed by audit experts and practiti<strong>on</strong>ers in the field. Extensive<br />
peer review further strengthened the manuscript. The editor sorted, culled (select from many), augmented<br />
(enlarge) , and refined the manuscript to be turned over to the publisher.<br />
Why The handbook<br />
The <strong>ASQ</strong> Audit Divisi<strong>on</strong> sp<strong>on</strong>sored the development of this<br />
handbook to promote the use of auditing as a<br />
management tool- our primary missi<strong>on</strong>. We believe that the<br />
Audit Divisi<strong>on</strong>’s members possess the greatest<br />
c<strong>on</strong>centrati<strong>on</strong> of theoretical and practical auditing<br />
knowledge in the world. In The <strong>ASQ</strong> Auditing Handbook,<br />
we have tried to give you the benefits of this collective<br />
expertise.<br />
J. P. Russell, Editor<br />
J. P. Russell, Editor<br />
Keywords:<br />
development of this handbook to promote the use of auditing as a management tool—our primary missi<strong>on</strong><br />
https://www.qualitywbt.com/library/jp-russell-library/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Keywords:<br />
• development of this handbook to promote the use of auditing as a<br />
management tool- our primary missi<strong>on</strong><br />
https://www.qualitywbt.com/library/jp-russell-library/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
JP Russell Library<br />
https://www.qualitywbt.com/library/jp-russell-library/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Acknowledgments<br />
<strong>ASQ</strong> Audit Divisi<strong>on</strong> members and experts have c<strong>on</strong>tributed to all editi<strong>on</strong>s of the handbook as c<strong>on</strong>tributors,<br />
reviewers, and handbook project leaders. For a list of our first, sec<strong>on</strong>d, and third editi<strong>on</strong> c<strong>on</strong>tributors and<br />
reviewers, please see Appendix K. For the fourth editi<strong>on</strong>, we relied <strong>on</strong> expert input from the developmental<br />
editor, other proven expert sources, and peer review. The auditing BoK has evolved since the first editi<strong>on</strong> of the<br />
handbook, published in 1997, and needs more refinement than creati<strong>on</strong>. Over the years, the quality of the<br />
feedback from day- to-day practiti<strong>on</strong>ers has significantly improved the c<strong>on</strong>tent applicability and value to users of<br />
the handbook.<br />
Reviewers of the fourth editi<strong>on</strong> of the handbook are:<br />
• Nancy Boudreau, <strong>ASQ</strong> <strong>CQA</strong>, CQPA, RABQSA QMS PA<br />
• Mary Chris Easterly, <strong>ASQ</strong> <strong>CQA</strong>, <strong>ASQ</strong> CMQ/OE<br />
• Anita McReynolds- Lidbury, <strong>ASQ</strong> <strong>CQA</strong><br />
• Lawrence Mossman, <strong>ASQ</strong> <strong>CQA</strong><br />
• Sandra Storli, <strong>ASQ</strong> CMQ/OE, CBA, <strong>CQA</strong>, RABQSA- LA<br />
J. P. Russell, Editor<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Overview<br />
This handbook is organized in the same way as the <strong>ASQ</strong> Certified Quality Auditor BoK:<br />
starting with <strong>Part</strong> I and ending with <strong>Part</strong> V. This secti<strong>on</strong> was written as an overview of auditing to better prepare<br />
readers for <strong>Part</strong> I of the handbook and is not meant to be an explanati<strong>on</strong> of the BoK.<br />
The word audit is associated with:<br />
(1) formal or methodical examining, (2) reviewing, and (3) investigating.<br />
Professi<strong>on</strong>al groups such as <strong>ASQ</strong> and the Institute of Internal Auditors (IIA) define preferred methods for<br />
c<strong>on</strong>ducting examinati<strong>on</strong>s and investigati<strong>on</strong>s (to audit). For (1) product, (2) process, and (3) system audits, the<br />
Audit Divisi<strong>on</strong> of <strong>ASQ</strong> has developed the BoK for auditing. <strong>ASQ</strong> also certifies individuals who meet the criteria<br />
for Certified Quality Auditor, Quality Auditor–HACCP (Hazard Analysis and Critical C<strong>on</strong>trol Point) Certificati<strong>on</strong>,<br />
and Quality Auditor–Biomedical. This handbook explains the topics listed in the BoK issued by <strong>ASQ</strong>. Auditing is<br />
a prescribed work practice or process. There is a preferred sequential order of activities that should be<br />
performed to c<strong>on</strong>duct a proper audit.<br />
<strong>Part</strong> II of the BoK (―Audit Process‖) follows the same preferred order. Audits must be prepared for (planning<br />
ahead), then performed (c<strong>on</strong>ducting the audit), the results reported (let every<strong>on</strong>e know what was found), and<br />
then the results resp<strong>on</strong>ded to (feedback <strong>on</strong> what is going to happen next) by the organizati<strong>on</strong> that was audited.<br />
It is comm<strong>on</strong> to refer to these as phases of an audit:<br />
1. preparati<strong>on</strong>,<br />
2. performance,<br />
3. report, and<br />
4. follow- up and<br />
5. closure.<br />
As with most service jobs, the outcome is influenced by how the service provider performs the job. That is why<br />
<strong>Part</strong> I of the handbook is about audit fundamentals, ethics, and c<strong>on</strong>duct. Auditing is c<strong>on</strong>sidered a professi<strong>on</strong>;<br />
therefore, individual auditors need to know how to c<strong>on</strong>duct themselves in a professi<strong>on</strong>al manner.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
HACCP (Hazard Analysis and Critical C<strong>on</strong>trol Point)<br />
HACCP is a management system in which food safety is addressed through the analysis and<br />
c<strong>on</strong>trol of:<br />
1. biological,<br />
2. chemical, and<br />
3. physical hazards<br />
From:<br />
1. raw material producti<strong>on</strong>,<br />
2. procurement and handling,<br />
3. to manufacturing,<br />
4. distributi<strong>on</strong> and<br />
5. c<strong>on</strong>sumpti<strong>on</strong><br />
of the finished product.<br />
<strong>ASQ</strong> also certifies individuals who meet the criteria for<br />
(1) Certified Quality Auditor,<br />
(2) Quality Auditor–HACCP (Hazard Analysis and Critical C<strong>on</strong>trol Point) Certificati<strong>on</strong>, and<br />
(3) Quality Auditor–Biomedical.<br />
https://www.fda.gov/Food/GuidanceRegulati<strong>on</strong>/HACCP/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
HACCP (Hazard Analysis and Critical C<strong>on</strong>trol Point)<br />
https://www.protrainings.eu/wiki/haccp/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Quality Auditing Technical Committee<br />
In the late 1980s the Quality Auditing Technical Committee (now the Audit Divisi<strong>on</strong> of <strong>ASQ</strong>) defined audit as:<br />
A planned, independent, and documented assessment to determine whether agreed- up<strong>on</strong><br />
requirements are being met.<br />
For now, let us think of a quality audit as an assessment to determine whether agreed- up<strong>on</strong> quality<br />
requirements are being met and will c<strong>on</strong>tinue to be met (whereas an envir<strong>on</strong>mental audit may be related to<br />
envir<strong>on</strong>mental requirements, a financial audit related to financial or accounting requirements, and so <strong>on</strong>).<br />
A distinguishing attribute of an audit is objectivity. The individuals performing audits must be able to evaluate<br />
the area being audited in an (1) objective and (2) unbiased manner. The degree of objectivity varies depending<br />
<strong>on</strong> the situati<strong>on</strong> and type of audit (purpose and scope). For example, auditors can audit within their own<br />
department, but they cannot audit their own jobs.<br />
There are several groupings or classificati<strong>on</strong>s of audits, depending <strong>on</strong> the relati<strong>on</strong>ships (external and internal),<br />
the need for objectivity, and the reas<strong>on</strong> for the audit (verificati<strong>on</strong> of product, process, or system). In Figure I.1,<br />
the circle represents an organizati<strong>on</strong>. Outside the circle are the organizati<strong>on</strong>’s customer(s) and supplier(s). All<br />
organizati<strong>on</strong>s have customer- supplier relati<strong>on</strong>ships. Any audits d<strong>on</strong>e inside the circle are internal audits, and<br />
audits d<strong>on</strong>e outside the circle are external audits. We further classify the audits as first-, sec<strong>on</strong>d-, or third- party<br />
audits based <strong>on</strong> relati<strong>on</strong>ships. First-party audits are <strong>on</strong>es within the organizati<strong>on</strong> itself (the same as internal<br />
audits or self- assessment) and are inside the circle. Sec<strong>on</strong>d party audits are audits of suppliers or of<br />
customers crossing into the circle to audit the organizati<strong>on</strong> (their supplier). Third-party audits are totally<br />
independent of the customer- supplier relati<strong>on</strong>ship and are off to the right in the diagram. Third- party audits<br />
may result in independent certificati<strong>on</strong> of a product, process, or system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Figure I.1 Types of audits.<br />
Source: J.P. Russell & Associates training materials. Used with permissi<strong>on</strong>.<br />
Customer<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
Customer audit your organizati<strong>on</strong><br />
External audit<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
You audit supplier<br />
Internal<br />
Organizati<strong>on</strong><br />
First-party<br />
Audit your own organizati<strong>on</strong><br />
First-party audits are <strong>on</strong>es<br />
within the organizati<strong>on</strong> itself (the<br />
same as internal audits or selfassessment)<br />
and are inside the<br />
circle. Sec<strong>on</strong>d party audits are<br />
audits of suppliers or of<br />
customers crossing into the circle<br />
to audit the organizati<strong>on</strong> (their<br />
supplier). Third-party audits are<br />
totally independent of the<br />
customer- supplier relati<strong>on</strong>ship<br />
and are off to the right in the<br />
diagram. Third- party audits may<br />
result in independent certificati<strong>on</strong><br />
of a product, process, or system.<br />
Supplier<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Figure I.1 Types of audits.<br />
Source: J.P. Russell & Associates training materials. Used with permissi<strong>on</strong>.<br />
Customer<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
Customer audit your organizati<strong>on</strong><br />
External audit<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
You audit supplier<br />
Internal<br />
First-party<br />
Audit your own organizati<strong>on</strong><br />
First-party audits are <strong>on</strong>es within<br />
the organizati<strong>on</strong> itself (the same<br />
as internal audits or selfassessment)<br />
and are inside the<br />
circle. Sec<strong>on</strong>d party audits are<br />
audits of suppliers or of<br />
customers crossing into the circle<br />
to audit the organizati<strong>on</strong> (their<br />
supplier). Third-party audits are<br />
totally independent of the<br />
customer- supplier relati<strong>on</strong>ship<br />
and are off to the right in the<br />
diagram. Third- party audits may<br />
result in independent certificati<strong>on</strong><br />
of a product, process, or system.<br />
Supplier<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Figure I.1 Types of audits.<br />
Source: J.P. Russell & Associates training materials. Used with permissi<strong>on</strong>.<br />
Customer<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
Customer audit your organizati<strong>on</strong><br />
External audit<br />
Sec<strong>on</strong>d-<strong>Part</strong>y<br />
You audit supplier<br />
Internal<br />
First-party<br />
Audit your own organizati<strong>on</strong><br />
Third-<strong>Part</strong>y<br />
Independent audit organizati<strong>on</strong> audit you<br />
First-party audits are <strong>on</strong>es within<br />
the organizati<strong>on</strong> itself (the same<br />
as internal audits or selfassessment)<br />
and are inside the<br />
circle. Sec<strong>on</strong>d party audits are<br />
audits of suppliers or of<br />
customers crossing into the circle<br />
to audit the organizati<strong>on</strong> (their<br />
supplier). Third-party audits are<br />
totally independent of the<br />
customer- supplier relati<strong>on</strong>ship<br />
and are off to the right in the<br />
diagram. Third- party audits may<br />
result in independent certificati<strong>on</strong><br />
of a product, process, or system.<br />
Supplier<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Audits:<br />
Audits<br />
First <strong>Part</strong>y<br />
Sec<strong>on</strong>d <strong>Part</strong>y<br />
Third <strong>Part</strong>y<br />
Internal Audit<br />
within your own<br />
organizati<strong>on</strong><br />
External Audit <strong>on</strong><br />
Suppliers<br />
External Audit by<br />
Customers <strong>on</strong> your<br />
organizati<strong>on</strong><br />
External<br />
Independent audit<br />
organizati<strong>on</strong> <strong>on</strong><br />
your organizati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
In the 1980s 历 史 的 回 顾<br />
http://phillips.blogs.com/goc/2014/01/current-l<strong>on</strong>g-war.html<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
1980s 历 史 的 回 顾<br />
El Salvador is <strong>on</strong>e of the smallest countries of<br />
Central America with a populati<strong>on</strong> of<br />
approximately six milli<strong>on</strong> people. In the year<br />
1980, El Salvador suffered from a bloody and<br />
l<strong>on</strong>g lasting war which lasted for a 12 year<br />
period. This war caused the deaths of 75,000<br />
people and many innocent people were<br />
separated from their families. Many of the killed<br />
were innocent children and mothers. This war<br />
was fought between the Salvadoran<br />
government and FMLN which was a left wing<br />
group that was composed of guerillas. The<br />
Nati<strong>on</strong>al Guard which was the Salvadoran<br />
military was <strong>on</strong>e of the most feared militaries<br />
and resp<strong>on</strong>sible for the deaths of many innocent<br />
individuals including M<strong>on</strong>signor Romero who<br />
was an archbishop that was politically active<br />
and would tell the U.S not to help the El<br />
Salvador’s government. They were also<br />
resp<strong>on</strong>sible for the deaths of the four American<br />
churchwomen.<br />
http://migrahackaz.leftwardthinking.com/?page_id=102<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
1980s 历 史 的 回 顾<br />
Dying for democracy: 1980 Gwangju uprising transformed South Korea<br />
https://www.japantimes.co.jp/news/2014/05/17/asia-pacific/politics-diplomacy-asia-pacific/dying-democracy-1980-gwangju-uprising-transformed-south-korea/#.W5EN0twzaUk<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
1980s 历 史 的 回 顾<br />
Mujahedeen fighters in Afghanistan during the 1980s.<br />
https://www.jacobinmag.com/2017/05/islamophobia-isis-al-qaeda-juan-cole<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Auditors can focus the audit (examinati<strong>on</strong> and investigati<strong>on</strong>) <strong>on</strong> different areas, depending <strong>on</strong> the needs.<br />
• A product or service audit determines whether product or service requirements (tangible characteristics or<br />
attributes) are being met.<br />
• The process audit determines whether process requirements (methods, procedures) are being met.<br />
• A system audit determines whether system requirements (manual, policy, standards, regulati<strong>on</strong>s) are being<br />
met.<br />
Audits<br />
Product Audits<br />
Process Audits<br />
System Audits<br />
tangible<br />
characteristics or<br />
attributes are being<br />
met<br />
methods, procedures<br />
are being met<br />
manual, policy, standards,<br />
regulati<strong>on</strong>s are being met<br />
Dict: Tangible; something that can be touched or felt, something real or substantial;<br />
Questi<strong>on</strong>: (tangible characteristic ≡ variable?)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The handbook discusses all types of audits, but most of the discussi<strong>on</strong> is focused <strong>on</strong><br />
system audits (being the most complex and having the greatest potential influence). A<br />
system can be thought of as a group of processes providing a product or service.<br />
When auditors are auditing, they are making observati<strong>on</strong>s and collecting evidence<br />
(data). They are seeking to verify that requirements are being met. They do this by<br />
collecting hard evidence, not hearsay or promises. Evidence produced as a result of<br />
the activity may be tangible objects or records, or pers<strong>on</strong>al observati<strong>on</strong>s. Auditors<br />
must be familiar with auditing techniques and the criteria they are auditing to. What<br />
auditors observe is not always straightforward or obvious, so they must be able to<br />
judge whether the intent (reas<strong>on</strong> for the requirement) is being met or addressed. The<br />
audit evidence and the method of collecting the evidence form the basis of the audit<br />
report.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The primary participants needed for c<strong>on</strong>ducting an audit are the auditor, the auditee, and the<br />
client (?).<br />
• The pers<strong>on</strong> c<strong>on</strong>ducting the audit is called the auditor, lead auditor, or audit team leader.<br />
• The organizati<strong>on</strong> being audited or investigated is called the auditee.<br />
• There is also a client, the pers<strong>on</strong> or organizati<strong>on</strong> that has requested the audit.<br />
The primary participants needed for c<strong>on</strong>ducting an audit are the auditor,<br />
the auditee, and the client. The pers<strong>on</strong> c<strong>on</strong>ducting the audit is called the auditor,<br />
lead auditor, or audit team leader. The organizati<strong>on</strong> being audited or investigated<br />
is called the auditee. There is also a client, the pers<strong>on</strong> or organizati<strong>on</strong> that has<br />
requested the audit. Audits are c<strong>on</strong>ducted <strong>on</strong>ly when some<strong>on</strong>e requests <strong>on</strong>e; they<br />
do not happen by accident. There has to be a sp<strong>on</strong>sor or client with the authority<br />
to call for an audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Audits are c<strong>on</strong>ducted <strong>on</strong>ly when some<strong>on</strong>e requests <strong>on</strong>e; they do not happen by accident. There<br />
has to be a sp<strong>on</strong>sor or client with the authority to call for an audit. Any type of organizati<strong>on</strong> can<br />
be audited against a set of standard requirements. The organizati<strong>on</strong> can produce a product or<br />
provide a service, such as government agencies or retail stores. An organizati<strong>on</strong> can be audited<br />
against almost any type of standards or set of criteria. The criteria or standards can be<br />
government regulati<strong>on</strong>s, ISO 9001 or ISO 14001 requirements, TS16949, Malcolm Baldrige<br />
Nati<strong>on</strong>al Quality Award criteria, customer requirements, and so <strong>on</strong>. If there is a set of rules,<br />
auditors can compare actual practice with the rules. While auditors are comparing actual practice<br />
with the rules or standards (determining c<strong>on</strong>formity or compliance to requirements), they may<br />
also observe that certain practices and trends are not in the best interest of the organizati<strong>on</strong><br />
being audited.<br />
Hence, auditors may report:<br />
1. compliance and n<strong>on</strong>compliance<br />
2. as well as areas that are not effective or areas that can be improved as input for<br />
management c<strong>on</strong>siderati<strong>on</strong>. (Do these go to the Auditee?)<br />
3. Auditors may also include best practices or good practices as part of an<br />
audit report so that they can be shared with other areas of the organizati<strong>on</strong><br />
(Do these go to the Auditee?)<br />
Keywords:<br />
There has to be a sp<strong>on</strong>sor or client with the authority to call for an audit.<br />
An organizati<strong>on</strong> can be audited against almost any type of standards or set of criteria.<br />
ISO/TS 16949 is an ISO technical specificati<strong>on</strong> aimed at the development of a quality management system that provides<br />
for c<strong>on</strong>tinual improvement, emphasizing defect preventi<strong>on</strong> and the reducti<strong>on</strong> of variati<strong>on</strong> and waste in the automotive industry supply chain.<br />
Are item 2 & 3 input for management<br />
c<strong>on</strong>siderati<strong>on</strong> <strong>on</strong>ly?. The<br />
recommendati<strong>on</strong>s may be subjective.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Findings are the results of the investigati<strong>on</strong>. They may be reported as n<strong>on</strong>c<strong>on</strong>formities/ c<strong>on</strong>formities, findings,<br />
n<strong>on</strong>-compliances/compliances, defects, c<strong>on</strong>cerns (?, subjective? Record as observati<strong>on</strong>s?) and so <strong>on</strong>. The<br />
audit results can include both positive and negative issues identified. It is important for every<strong>on</strong>e to agree <strong>on</strong><br />
the terminology that will be used in the audit report.<br />
Recently there has been more emphasis <strong>on</strong> looking bey<strong>on</strong>d c<strong>on</strong>ducting the audit steps, to management of the<br />
audit process. It is important to understand the objectives of the audit functi<strong>on</strong> and the potential benefits to the<br />
organizati<strong>on</strong>. This understanding and clarificati<strong>on</strong> has resulted in some audit programs being strictly limited to<br />
auditing for compliance and other audit programs seeking informati<strong>on</strong> about the effectiveness and efficiency of<br />
internal c<strong>on</strong>trols. Auditing is a management tool used to verify that systems and processes are<br />
compliant/c<strong>on</strong>formant, suitable to achieve objectives, and effective. For additi<strong>on</strong>al background informati<strong>on</strong> <strong>on</strong><br />
auditing, c<strong>on</strong>tinue <strong>on</strong> to <strong>Part</strong> I.<br />
Keywords:<br />
• The audit results can include both positive and negative issues identified.<br />
• c<strong>on</strong>cerns<br />
C<strong>on</strong>cerns?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Scenario<br />
Auditors Are Not Inspectors<br />
All too often the term audit is used to describe an inspecti<strong>on</strong> activity. Inspecti<strong>on</strong> is a tool to detect errors or<br />
defects before a product is approved for release or distributi<strong>on</strong>. It is normally part of the manufacturing or<br />
service approval process. An organizati<strong>on</strong> may form a quality c<strong>on</strong>trol department to manage and c<strong>on</strong>duct the<br />
inspecti<strong>on</strong>s. In other cases, some organizati<strong>on</strong>s may use the word inspecti<strong>on</strong> to describe an audit. Audits<br />
c<strong>on</strong>ducted by the government (such as the FDA) may be described as inspecti<strong>on</strong>s in regulatory documents.<br />
For the purposes of this handbook, we will differentiate between audits and inspecti<strong>on</strong>s <strong>on</strong> the basis of nati<strong>on</strong>al<br />
and internati<strong>on</strong>al standards such as the ISO 19011 guideline standard regarding management system audits.<br />
As organizati<strong>on</strong> sectors (other than manufacturing) attempt to apply auditing principles, they may become<br />
frustrated due to some initial misunderstandings. One of these misunderstandings is the way they use the term<br />
audit.<br />
For example, in the insurance industry, claims (such as medical, property, and liability) are processed<br />
as a case file. This file c<strong>on</strong>tains the insured party’s claim, the evidence, the adjuster’s report, the offered<br />
compensati<strong>on</strong>, the accepted compensati<strong>on</strong>, and the closing statement. All this paperwork is subject to error and<br />
omissi<strong>on</strong>. So the managers will audit these case files before they are ultimately closed. Sometimes<br />
the audit is performed before a check is cut. In reality, this is an inspecti<strong>on</strong> and not an audit.<br />
The general public associates quality with c<strong>on</strong>ducting an inspecti<strong>on</strong>. The ir<strong>on</strong>y is that using inspecti<strong>on</strong>s to<br />
ensure quality has proved to be too costly and ineffective compared to using other quality tools and techniques.<br />
For more informati<strong>on</strong> <strong>on</strong> the history of quality c<strong>on</strong>trol and auditing, see Appendix E, ―History of Quality<br />
Assurance and Auditing.‖<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Scenario<br />
For example, in the insurance industry, claims (such as medical, property, and liability) are processed<br />
as a case file. This file c<strong>on</strong>tains the insured party’s claim, the evidence, the adjuster’s report, the offered<br />
compensati<strong>on</strong>, the accepted compensati<strong>on</strong>, and the closing statement. All this paperwork is subject to error and<br />
omissi<strong>on</strong>. So the managers will audit these case files before they are ultimately closed. Sometimes<br />
the audit is performed before a check is cut. In reality, this is an inspecti<strong>on</strong> and not an audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> I<br />
Auditing Fundamentals<br />
[27 of the <strong>CQA</strong> Exam Questi<strong>on</strong>s or 18<br />
percent]<br />
Chapter 1 Types of Quality Audits/<strong>Part</strong> IA<br />
Chapter 2 Purpose and Scope of Audits/<strong>Part</strong> IB<br />
Chapter 3 Criteria to Audit Against/<strong>Part</strong> IC<br />
Chapter 4 Roles and Resp<strong>on</strong>sibilities of Audit <strong>Part</strong>icipants/<strong>Part</strong> ID<br />
Chapter 5 Professi<strong>on</strong>al C<strong>on</strong>duct and C<strong>on</strong>sequences for Auditors/<strong>Part</strong> IE<br />
The purpose of <strong>Part</strong> I is to present audit purpose, types, and criteria as well as auditor roles and resp<strong>on</strong>sibilities.<br />
The last chapter addresses professi<strong>on</strong>al c<strong>on</strong>duct and c<strong>on</strong>sequences for auditors. Ethics affect professi<strong>on</strong>al<br />
c<strong>on</strong>duct, and professi<strong>on</strong>al c<strong>on</strong>duct affects liability and audit credibility.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Chapter 1<br />
Types of Quality Audits/<strong>Part</strong> IA<br />
__________________________________________________<br />
IA1. Method<br />
An audit is a “systematic, independent and documented process for obtaining audit<br />
evidence and evaluating it objectively to determine the extent to which audit criteria are<br />
fulfilled.”<br />
Several audit methods may be employed to achieve the audit purpose. There are three discrete<br />
types of audits: (1) product (which includes services), (2) process, and (3) system. (there is no<br />
organizati<strong>on</strong> audit!) However, other methods, such as a desk or document review audit, may be<br />
employed independently or in support of the three general types of audits. Some audits are<br />
named according to their purpose or scope. The scope of a department or functi<strong>on</strong> audit is a<br />
particular department or functi<strong>on</strong>. The purpose of a management audit relates to management<br />
interests such as assessment of area performance or efficiency.<br />
What is management audit? - management audit relates to management interests such as<br />
assessment of area performance or efficiency. (It could be either the three general type of<br />
audits?)(The management audit should not be attributed to high level ―system audit‖ type?)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Types of Quality Audits<br />
Business<br />
Performance Audit<br />
System Audit<br />
Risk Management<br />
Audit<br />
Management<br />
Audit<br />
The purpose of a management audit relates to<br />
management interests such as assessment of<br />
area performance or efficiency. <strong>HB</strong><br />
Process Audit<br />
Product Audit<br />
Compliance Audit<br />
An audit c<strong>on</strong>ducted <strong>on</strong> a management system is called a system audit. It can be<br />
described as a documented activity performed to verify, by examinati<strong>on</strong> and<br />
evaluati<strong>on</strong> of objective evidence, that applicable elements of the system are<br />
appropriate and effective and have been developed, documented, and<br />
implemented in accordance and in c<strong>on</strong>juncti<strong>on</strong> with specified requirements. A<br />
system audit looks at everything within the system (that is, the processes,<br />
products, services, and supporting groups such as purchasing, customer<br />
service, design engineering, order entry, waste management, and training).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Types of Quality Audits<br />
Business<br />
Performance Audit<br />
System Audit<br />
Risk Management<br />
Audit<br />
Desk Audit<br />
Process Audit<br />
Compliance Audit<br />
A desk or document review audit, may be<br />
employed independently or in support of the<br />
three general types of audits.<br />
Product Audit<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product audit<br />
A product audit is an examinati<strong>on</strong> of a particular product or service (hardware, processed<br />
material, software) to evaluate whether it c<strong>on</strong>forms to requirements (that is, specificati<strong>on</strong>s,<br />
performance standards, and customer requirements). An audit performed <strong>on</strong> a service is called<br />
a service audit.<br />
Elements examined may include (1) packaging, (2) shipment preparati<strong>on</strong> and (3) protecti<strong>on</strong>, (4)<br />
user instructi<strong>on</strong>s, (5) product characteristics, (6) product performance, and (7) other customer<br />
requirements.<br />
Product audits are c<strong>on</strong>ducted when a product is in a completed stage of producti<strong>on</strong> and has<br />
passed the final inspecti<strong>on</strong>. The product auditor uses inspecti<strong>on</strong> techniques to evaluate the<br />
entire product and all aspects of the product characteristics. A product quality audit is the<br />
examinati<strong>on</strong> or test of a product that had been previously accepted or rejected for the<br />
characteristics being audited. It includes performing operati<strong>on</strong>al tests to the same requirements<br />
used by manufacturing, using the same producti<strong>on</strong> test procedure, methods, and equipment.<br />
The product audit verifies c<strong>on</strong>formance to specified standards of workmanship and performance.<br />
This audit can also measure the quality of the product going to the customer. The product audit<br />
frequently includes an evaluati<strong>on</strong> of packaging, an examinati<strong>on</strong> for cosmetics, and a check for<br />
proper documentati<strong>on</strong> and accessories, such as proper tags, stamps, process certificati<strong>on</strong>s, use<br />
of approved vendors, shipment preparati<strong>on</strong>, and security. Product audits may be performed <strong>on</strong><br />
safety equipment, envir<strong>on</strong>mental test equipment, or products to be sent to customers, or they<br />
can be the result of a service such as equipment maintenance.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit: Elements examined may include (1) packaging, (2) shipment preparati<strong>on</strong> and (3) protecti<strong>on</strong>,<br />
(4) user instructi<strong>on</strong>s, (5) product characteristics, (6) product performance, and (7) other customer requirements.<br />
Other<br />
Customer<br />
Requirements<br />
Packaging<br />
Protecti<strong>on</strong><br />
Product<br />
Performance<br />
Product Audit<br />
Shipment<br />
Preparati<strong>on</strong><br />
Product<br />
Characteristics<br />
User<br />
Instructi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit: Elements examined may include (1) packaging, (2) shipment preparati<strong>on</strong> and (3) protecti<strong>on</strong>,<br />
(4) user instructi<strong>on</strong>s, (5) product characteristics, (6) product performance, and (7) other customer requirements.<br />
Other<br />
Customer<br />
Requirements<br />
Packaging<br />
Protecti<strong>on</strong><br />
Product<br />
Performance<br />
Product Audit<br />
Shipment<br />
Preparati<strong>on</strong><br />
Product<br />
Characteristics<br />
User<br />
Instructi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA<br />
Product Audit: Elements examined may include (1) packaging, (2) shipment preparati<strong>on</strong> and (3) protecti<strong>on</strong>, (4)<br />
user instructi<strong>on</strong>s, (5) product characteristics, (6) product performance, and (7) other customer requirements.<br />
Other<br />
Customer<br />
Requirements<br />
Packaging<br />
Protecti<strong>on</strong><br />
Product<br />
Performance<br />
Product Audit<br />
Shipment<br />
Preparati<strong>on</strong><br />
Product<br />
Characteristics<br />
User<br />
Instructi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit: Elements examined may include (1) packaging, (2) shipment preparati<strong>on</strong> and (3) protecti<strong>on</strong>,<br />
(4) user instructi<strong>on</strong>s, (5) product characteristics, (6) product performance, and (7) other customer<br />
requirements.<br />
Other<br />
Customer<br />
Requirements<br />
Packaging<br />
Protecti<strong>on</strong><br />
Product<br />
Performance<br />
Product Audit<br />
or Process<br />
Audit?<br />
Shipment<br />
Preparati<strong>on</strong><br />
Product<br />
Characteristics<br />
User<br />
Instructi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit<br />
Keywords:<br />
• Product audits are c<strong>on</strong>ducted when a product is in a completed stage of producti<strong>on</strong> and has passed the<br />
final inspecti<strong>on</strong>.<br />
• A product quality audit is the examinati<strong>on</strong> or test of a product that had been previously accepted or rejected<br />
for the characteristics being audited.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
A product audit is the examinati<strong>on</strong> of the form, fit, and functi<strong>on</strong> of a completed item after final inspecti<strong>on</strong>. It is<br />
technical; it may involve special (sometimes periodic) examinati<strong>on</strong>, inspecti<strong>on</strong>, or testing of a product that<br />
previously passed final inspecti<strong>on</strong> and has been accepted for characteristics being audited to ensure that it has<br />
not degraded over time; and it can be customer oriented.<br />
The reference standard for a product quality audit is the product quality program and the product performance<br />
specificati<strong>on</strong>.<br />
One of its characteristics is a complete examinati<strong>on</strong> of a small sample of finished product. Sometimes a<br />
product audit includes the destructive test of sample products. A service audit is <strong>on</strong>e type of product audit. For<br />
many services an auditor can verify physical attributes of the service that was performed. For example:<br />
• Was the label added?<br />
• Is the area clean?<br />
• Have records been completed?<br />
• Are tools organized?<br />
For other services there are few or no traces of the service that was performed and therefore it must be verified<br />
by a process audit, for example, tuning an engine, performing repairs, receiving educati<strong>on</strong> or training, and<br />
receiving some pers<strong>on</strong>al services (a haircut can be checked and verified, but not a massage).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit:<br />
For other services there are<br />
few or no traces of the<br />
service that was performed<br />
and therefore it must be<br />
verified by a process audit,<br />
for example, tuning an engine,<br />
performing repairs, receiving<br />
educati<strong>on</strong> or training, and<br />
receiving some pers<strong>on</strong>al<br />
services (a haircut can be<br />
checked and verified, but not<br />
a massage).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit:<br />
For other services there are few or no traces of the service that was performed and therefore it must be verified<br />
by a process audit, for example, tuning an engine, performing repairs, receiving educati<strong>on</strong> or training, and<br />
receiving some pers<strong>on</strong>al services (a haircut can be checked and verified, but not a massage).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Product Audit:<br />
For other services there are few or no traces of the service that was performed and therefore it must be verified<br />
by a process audit, for example, tuning an engine, performing repairs, receiving educati<strong>on</strong> or training, and<br />
receiving some pers<strong>on</strong>al services (a haircut can be checked and verified, but not a massage).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Process audit<br />
The process audit is performed to verify that processes are working within established limits. ―The process<br />
audit examines an activity to verify that the inputs, acti<strong>on</strong>s, and outputs are in accordance with defined<br />
requirements. The boundary (scope) of a process audit should be a single process, such as marking, stamping,<br />
cooking, coating, setting up, or installing. It is very focused and usually involves <strong>on</strong>ly <strong>on</strong>e work crew.‖ A process<br />
audit covers <strong>on</strong>ly a porti<strong>on</strong> of the total system and usually takes much less time than a system audit.<br />
Keywords:<br />
The boundary (scope) of a process audit should be a single process, such as marking, stamping, cooking,<br />
coating, setting up, or installing.<br />
Questi<strong>on</strong>: Example, for refinery piping; does process audit limited to single, fit-up, welding, installati<strong>on</strong>, testing,<br />
commissi<strong>on</strong>ing, with each activity c<strong>on</strong>stitute as single independent process audit?<br />
A process audit is verificati<strong>on</strong> by<br />
evaluati<strong>on</strong> of an operati<strong>on</strong> or method<br />
against:<br />
• predetermined instructi<strong>on</strong>s or<br />
standards to measure c<strong>on</strong>formance<br />
to these standards and<br />
• the effectiveness of the instructi<strong>on</strong>s.<br />
(PDCA & Desk audit/ Document review?)<br />
A process audit is verificati<strong>on</strong> by<br />
evaluati<strong>on</strong> of an operati<strong>on</strong> or<br />
method against:<br />
• predetermined instructi<strong>on</strong>s<br />
or standards to measure<br />
c<strong>on</strong>formance to these<br />
standards and<br />
• the effectiveness of the<br />
instructi<strong>on</strong>s.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Such an audit may check c<strong>on</strong>formance to defined requirements such as:<br />
• time,<br />
• accuracy,<br />
• temperature,<br />
• pressure,<br />
• compositi<strong>on</strong>,<br />
• resp<strong>on</strong>siveness,<br />
• amperage, and<br />
• comp<strong>on</strong>ent mixture.<br />
• could be any attributes or variables?<br />
It may involve special processes such as heat- treating, soldering, plating, encapsulati<strong>on</strong>, welding, and<br />
n<strong>on</strong>destructive examinati<strong>on</strong>. A process audit examines the resources (equipment, materials, people) applied to<br />
transform the inputs into outputs, the envir<strong>on</strong>ment, the methods (procedures, instructi<strong>on</strong>s) followed, and the<br />
measures collected to determine process performance. A process audit checks the adequacy and<br />
effectiveness of the process c<strong>on</strong>trols established by procedures, work instructi<strong>on</strong>s, flowcharts, and training and<br />
process specificati<strong>on</strong>s.<br />
Auditors c<strong>on</strong>ducting process audits by their nature follow a process. The audit method of following process<br />
steps is a process audit technique. The process audit technique is an effective audit method and offers a good<br />
alternative to auditing by clause element or department or functi<strong>on</strong>. System auditors may use process audit<br />
techniques to the extent possible when auditing a management system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Process Audit Technique.<br />
Auditors c<strong>on</strong>ducting process audits by their<br />
nature follow a process. The audit method of<br />
following process steps is a process audit<br />
technique. The process audit technique is an<br />
effective audit method and offers a good<br />
alternative to auditing by clause element or<br />
department or functi<strong>on</strong>. System auditors may<br />
use process audit techniques to the extent<br />
possible when auditing a management<br />
system.<br />
No<br />
Yes<br />
Yes<br />
No<br />
Yes<br />
No<br />
Yes<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
System Audit<br />
An audit c<strong>on</strong>ducted <strong>on</strong> a management system is called a system audit. It can be described as a documented<br />
activity performed to verify, by examinati<strong>on</strong> and evaluati<strong>on</strong> of objective evidence, that:<br />
• applicable elements of the system are appropriate and effective and<br />
• have been developed, documented, and implemented in accordance and in c<strong>on</strong>juncti<strong>on</strong> with specified<br />
requirements.<br />
A quality management system audit evaluates an existing quality program to determine its c<strong>on</strong>formance to<br />
company policies, c<strong>on</strong>tract commitments, and regulatory requirements. It includes the preparati<strong>on</strong> of formal<br />
plans and checklists that are based <strong>on</strong> established requirements, the evaluati<strong>on</strong> of implementati<strong>on</strong> of detailed<br />
activities within the quality program, and the issuance of formal requests for corrective acti<strong>on</strong> where necessary.<br />
Similarly, an envir<strong>on</strong>mental system audit examines an envir<strong>on</strong>mental management system, a food safety<br />
system audit examines a food safety management system, and safety system audits examine the safety<br />
management system.<br />
Criteria c<strong>on</strong>tained in the American Society of Mechanical Engineers (ASME) codes, nuclear regulati<strong>on</strong>s, good<br />
manufacturing practices, or ISO standards, for example, may describe a management system. Normally these<br />
descripti<strong>on</strong>s state what must be d<strong>on</strong>e but do not specify how it must be d<strong>on</strong>e. The ―how‖ is left up to the<br />
organizati<strong>on</strong> being audited. An auditor looks at the management systems that c<strong>on</strong>trol all activities from the time<br />
an order comes into a company (that is, how the order is handled, processed, and passed <strong>on</strong> to operati<strong>on</strong>s,<br />
and what operati<strong>on</strong>s does in resp<strong>on</strong>se to that order) through delivery of the goods, sometimes including<br />
transportati<strong>on</strong> to the site. A system audit looks at everything within the system (that is, the processes, products,<br />
services, and supporting groups such as purchasing, customer service, design engineering, order entry, waste<br />
management, and training). It encompasses all the systems of the facility that assist in providing an acceptable<br />
product or service that is safe and c<strong>on</strong>forms to applicable local, regi<strong>on</strong>al, nati<strong>on</strong>al, and internati<strong>on</strong>al<br />
requirements.<br />
Questi<strong>on</strong>: an audit <strong>on</strong> the engineering design office, is this a process audit or a system audit?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA1<br />
Desk Audit Or Document Review<br />
A desk audit or document review is an audit of an organizati<strong>on</strong>’s documents. It can be<br />
c<strong>on</strong>ducted at a desk since people are not interviewed and activities are not observed.<br />
If auditing a new area, functi<strong>on</strong>, or organizati<strong>on</strong>, a desk audit must be c<strong>on</strong>ducted<br />
prior to a process or system audit to verify that documents meet requirements<br />
specified in the audit criteria or standards.<br />
The document review verifies that there is an adequately defined process or system<br />
prior to the full process or system audit. Findings from a desk audit or document<br />
review help ensure that audit program resources are used efficiently. It would be very<br />
costly if an audit team arrived to do a system audit, <strong>on</strong>ly to find out that the established<br />
system was not adequate. Also, a desk audit or document review may be c<strong>on</strong>ducted<br />
periodically or when documents (processes) are changed to verify the adequacy of the<br />
changes.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Types of Quality Audits/<strong>Part</strong> IA<br />
IA2. Auditor- Auditee Relati<strong>on</strong>ship<br />
Internal and external audits<br />
An audit may be classified as internal or external depending <strong>on</strong> the interrelati<strong>on</strong>ships that exist am<strong>on</strong>g the<br />
participants. Internal audits are first- party audits, while external audits can be either sec<strong>on</strong>d- or third- party<br />
audits.<br />
• Internal audits are audits of an organizati<strong>on</strong>’s product(s), processes, and systems c<strong>on</strong>ducted by employees<br />
of the organizati<strong>on</strong>.<br />
• External audits are audits of an organizati<strong>on</strong>’s product(s), processes, and systems c<strong>on</strong>ducted by individuals<br />
who are not employees of the organizati<strong>on</strong>.<br />
Figure 1.1 illustrates the classificati<strong>on</strong>s comm<strong>on</strong>ly used to differentiate between types of internal and external<br />
audits. The figure is provided as a guide to classificati<strong>on</strong>s, but there is no absolute rule, because there are<br />
excepti<strong>on</strong>s. The types of audits depicted in Figure 1.1 are not mutually exclusive. An audit can be a blend of<br />
the different types of audits. Third- party auditors (certificati<strong>on</strong>) could be joined by sec<strong>on</strong>d- party auditors<br />
(customer auditors), or internal auditors could be joined by external auditors (customer).<br />
Classificati<strong>on</strong> of Audits<br />
Internal<br />
Audits<br />
External<br />
Audits<br />
First <strong>Part</strong>y<br />
Audits<br />
Sec<strong>on</strong>d<br />
<strong>Part</strong>y Audits<br />
Third <strong>Part</strong>y<br />
Audits<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
No Absolute Rule<br />
Figure 1.1 illustrates the classificati<strong>on</strong>s comm<strong>on</strong>ly used to differentiate between types of internal and external audits. The figure is provided<br />
as a guide to classificati<strong>on</strong>s, but there is no absolute rule, because there are excepti<strong>on</strong>s. The types of audits depicted in Figure 1.1 are not<br />
mutually exclusive. An audit can be a blend of the different types of audits. Third- party auditors (certificati<strong>on</strong>) could be joined by sec<strong>on</strong>dparty<br />
auditors (customer auditors), or internal auditors could be joined by external auditors (customer).<br />
A sec<strong>on</strong>d party audit <strong>on</strong><br />
supplier could be join by the<br />
supplier auditor, similarly a<br />
sec<strong>on</strong>d party customer audit<br />
<strong>on</strong> organizati<strong>on</strong> may be join<br />
by organizati<strong>on</strong> auditor(?)<br />
Internal auditors could be<br />
joined by external auditors<br />
(customer).<br />
Third- party auditors<br />
(certificati<strong>on</strong>) could be<br />
joined by sec<strong>on</strong>d- party<br />
auditors (customer<br />
auditors)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
First-, sec<strong>on</strong>d-, and Third- <strong>Part</strong>y audits<br />
First-<strong>Part</strong>y Audit<br />
A first-party audit is performed within an organizati<strong>on</strong> to measure its strengths and weaknesses<br />
against its own procedures or methods and/or against external standards adopted by (voluntary)<br />
or imposed <strong>on</strong> (mandatory) the organizati<strong>on</strong>. A first- party audit is an internal audit c<strong>on</strong>ducted by<br />
auditors who are employed by the organizati<strong>on</strong> being audited but who have no vested<br />
(inalienable) interest in the audit results of the area being audited. The auditing management<br />
systems standard ISO 19011 states that the independence of the audit team members from the<br />
activities to be audited should be c<strong>on</strong>sidered, and to avoid c<strong>on</strong>flicts of interest when selecting<br />
audit team members. Companies may have a separate audit group c<strong>on</strong>sisting of full- time<br />
auditors, or the auditors may be trained employees from other areas of the company who<br />
perform audits as needed <strong>on</strong> a part- time basis in additi<strong>on</strong> to their other duties. One of the<br />
benefits of using part- time auditors is that the auditor learns the requirements by evaluating the<br />
objective evidence to determine c<strong>on</strong>formance with the requirement bey<strong>on</strong>d their normal work<br />
assignment. In some cases an organizati<strong>on</strong> may hire (outsource) an audit organizati<strong>on</strong> to<br />
c<strong>on</strong>duct its internal audits. The benefits of hiring an external auditing organizati<strong>on</strong> are that<br />
internal employees do not have to take time from their day- to-day jobs, auditors may be more<br />
objective and impartial, and the organizati<strong>on</strong> may benefit from employing more experienced<br />
auditors.<br />
A multisite company’s audit of another of its divisi<strong>on</strong>s or subsidiaries, whether it is local, nati<strong>on</strong>al,<br />
or internati<strong>on</strong>al, is often c<strong>on</strong>sidered an internal audit. If, however, the other locati<strong>on</strong>s functi<strong>on</strong><br />
primarily as suppliers to the main operati<strong>on</strong> or locati<strong>on</strong>, audits of those sites would be<br />
c<strong>on</strong>sidered sec<strong>on</strong>d-party (external?) audits.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Brainstorming is a group creativity technique by which efforts are made to find a c<strong>on</strong>clusi<strong>on</strong> for a specific<br />
problem by gathering a list of ideas sp<strong>on</strong>taneously c<strong>on</strong>tributed by its members. In other words, brainstorming is<br />
a situati<strong>on</strong> where a group of people meet to generate new ideas and soluti<strong>on</strong>s around a<br />
specific domain of interest by removing inhibiti<strong>on</strong>s. People are able to think more freely and they suggest<br />
many sp<strong>on</strong>taneous new ideas as possible. All the ideas are noted down and are not critic<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
First-<strong>Part</strong>y Audit- The Auditor Selecti<strong>on</strong>s<br />
Independent<br />
• A first- party audit is an internal audit c<strong>on</strong>ducted by auditors who are employed by the organizati<strong>on</strong> being<br />
audited but who have no vested (inalienable) interest in the audit results of the area being audited.<br />
• The auditing management systems standard ISO 19011 states that the independence of the audit team<br />
members from the activities to be audited should be c<strong>on</strong>sidered, and to avoid c<strong>on</strong>flicts of interest when<br />
selecting audit team members.<br />
Source of Auditors<br />
• Companies may have a separate audit group c<strong>on</strong>sisting of full- time auditors, or<br />
• the auditors may be trained employees from other areas of the company who perform audits as needed <strong>on</strong><br />
a part- time basis in additi<strong>on</strong> to their other duties.<br />
One of the benefits of using part- time auditors is that the auditor learns the requirements by evaluating<br />
the objective evidence to determine c<strong>on</strong>formance with the requirement bey<strong>on</strong>d their normal work<br />
assignment.<br />
• In some cases an organizati<strong>on</strong> may hire (outsource) an audit organizati<strong>on</strong> to c<strong>on</strong>duct its internal audits.<br />
The benefits of hiring an external auditing organizati<strong>on</strong> are (1) that internal employees do not have to<br />
take time from their day- to-day jobs, (2) auditors may be more objective and impartial, and (3) the<br />
organizati<strong>on</strong> may benefit from employing more experienced auditors.<br />
First <strong>Part</strong>y or Sec<strong>on</strong>d <strong>Part</strong>y Audit within Own Organizati<strong>on</strong>?<br />
• A multisite company’s audit of another of its divisi<strong>on</strong>s or subsidiaries, whether it is local, nati<strong>on</strong>al, or<br />
internati<strong>on</strong>al, is often c<strong>on</strong>sidered an internal audit. If, however, the other locati<strong>on</strong>s functi<strong>on</strong> primarily as<br />
suppliers to the main operati<strong>on</strong> or locati<strong>on</strong>, audits of those sites would be c<strong>on</strong>sidered sec<strong>on</strong>d-party<br />
(external?) audits.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Sec<strong>on</strong>d-<strong>Part</strong>y Audit<br />
A sec<strong>on</strong>d-party audit is an external audit performed <strong>on</strong> a supplier by a customer or<br />
by a c<strong>on</strong>tracted organizati<strong>on</strong> <strong>on</strong> behalf of a customer. A c<strong>on</strong>tract is in place, and the<br />
goods or service is being, or will be, delivered.<br />
Note: If the c<strong>on</strong>tract is not in place the survey, assessment can not be termed as<br />
―Sec<strong>on</strong>d-<strong>Part</strong>y or external ―audit‖?<br />
Sec<strong>on</strong>d- party audits are subject to the rules of c<strong>on</strong>tract law, as they are providing<br />
c<strong>on</strong>tractual directi<strong>on</strong> from the customer to the supplier. Sec<strong>on</strong>d- party audits tend to be<br />
more formal than first- party audits because audit results could influence the (future?)<br />
customer’s purchasing decisi<strong>on</strong>s.<br />
A survey, sometimes called an assessment or examinati<strong>on</strong>, is a comprehensive<br />
evaluati<strong>on</strong> that analyzes such things as facilities, resources, ec<strong>on</strong>omic stability,<br />
technical capability, pers<strong>on</strong>nel, producti<strong>on</strong> capabilities, and past performance, as well<br />
as the entire management system. In general, a survey is performed prior to the<br />
award of a c<strong>on</strong>tract to a prospective supplier to ensure that the proper capabilities,<br />
c<strong>on</strong>trols, and systems are in place. The scope of the survey may be limited to<br />
specified management systems such as quality, envir<strong>on</strong>mental, or safety systems, or<br />
it may include the entire organizati<strong>on</strong> management system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Sec<strong>on</strong>d <strong>Part</strong>y Audit and Survey/ Assessment<br />
2nd <strong>Part</strong>y Audit by<br />
Client<br />
Awarded Supplier<br />
C<strong>on</strong>tract<br />
2nd <strong>Part</strong>y Audit by<br />
C<strong>on</strong>tracted<br />
Organizati<strong>on</strong>.<br />
Prospective Supplier<br />
(C<strong>on</strong>tract not Awarded)<br />
Survey/ Assessment<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
A survey, sometimes called an assessment or examinati<strong>on</strong>, is a comprehensive<br />
evaluati<strong>on</strong> that analyzes such things as:<br />
1. facilities,<br />
2. resources,<br />
3. ec<strong>on</strong>omic stability,<br />
4. technical capability,<br />
5. pers<strong>on</strong>nel,<br />
6. producti<strong>on</strong> capabilities, and<br />
7. past performance,<br />
8. as well as the entire management system.<br />
In general, a survey is performed prior to the award of a c<strong>on</strong>tract to a prospective<br />
supplier to ensure that the proper capabilities, c<strong>on</strong>trols, and systems are in place. The<br />
scope of the survey may be limited to specified management systems such as quality,<br />
envir<strong>on</strong>mental, or safety systems, or it may include the entire organizati<strong>on</strong><br />
management system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
A survey, sometimes called an assessment or examinati<strong>on</strong>, is a comprehensive evaluati<strong>on</strong> that analyzes such things as:<br />
1. facilities,<br />
2. resources,<br />
3. ec<strong>on</strong>omic stability,<br />
4. technical capability,<br />
5. pers<strong>on</strong>nel,<br />
6. producti<strong>on</strong> capabilities, and<br />
7. past performance,<br />
8. as well as the entire management system.<br />
In general, a survey is performed prior to the award of a c<strong>on</strong>tract to a prospective supplier to ensure that the proper capabilities,<br />
c<strong>on</strong>trols, and systems are in place. The scope of the survey may be limited to specified management systems such as quality,<br />
envir<strong>on</strong>mental, or safety systems, or it may include the entire organizati<strong>on</strong> management system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
A survey, sometimes called an<br />
assessment or examinati<strong>on</strong>, is a<br />
comprehensive evaluati<strong>on</strong> that<br />
analyzes such things as:<br />
1. facilities,<br />
2. resources,<br />
3. ec<strong>on</strong>omic stability,<br />
4. technical capability,<br />
5. pers<strong>on</strong>nel,<br />
6. producti<strong>on</strong> capabilities, and<br />
7. past performance,<br />
8. as well as the entire management<br />
system.<br />
In general, a survey is performed prior to the<br />
award of a c<strong>on</strong>tract to a prospective supplier to<br />
ensure that the proper capabilities, c<strong>on</strong>trols,<br />
and systems are in place. The scope of the<br />
survey may be limited to specified management<br />
systems such as quality, envir<strong>on</strong>mental, or<br />
safety systems, or it may include the entire<br />
organizati<strong>on</strong> management system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Third-<strong>Part</strong>y Audit<br />
A third-party audit is performed by an audit organizati<strong>on</strong> independent of the<br />
customer- supplier relati<strong>on</strong>ship and is free of any c<strong>on</strong>flict of interest.<br />
Independence of the audit organizati<strong>on</strong> is a key comp<strong>on</strong>ent of a third- party audit.<br />
Third- party audits may result in:<br />
• certificati<strong>on</strong>,<br />
• registrati<strong>on</strong>,<br />
• recogniti<strong>on</strong>,<br />
• an award,<br />
• license approval,<br />
• a citati<strong>on</strong>,<br />
• a fine, or<br />
• a penalty<br />
issued by the third- party organizati<strong>on</strong> or an interested party.<br />
Third- party audits may be performed <strong>on</strong> behalf of an auditee’s potential customers<br />
who cannot afford to survey or audit external organizati<strong>on</strong>s themselves or who<br />
c<strong>on</strong>sider a third- party audit to be a more cost- effective alternative. Government<br />
representatives perform mandatory audits <strong>on</strong> regulated industries such as nuclear<br />
power stati<strong>on</strong>s, airlines, and medical device manufacturers to provide assurances of<br />
safety to the public.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
• A third-party audit is performed by an audit organizati<strong>on</strong> independent of<br />
the customer- supplier relati<strong>on</strong>ship and is free of any c<strong>on</strong>flict of interest.<br />
• Third- party audits may be performed <strong>on</strong> behalf of an auditee’s potential<br />
customers who cannot afford to survey or audit external organizati<strong>on</strong>s<br />
themselves or who c<strong>on</strong>sider a third- party audit to be a more cost- effective<br />
alternative.<br />
Keywords: Potential customer<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Third-<strong>Part</strong>y Audit<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Government representatives perform mandatory audits <strong>on</strong> regulated industries such as nuclear<br />
power stati<strong>on</strong>s, airlines, and medical device manufacturers to provide assurances of safety to the public.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA<br />
Government representatives (USNRC) perform mandatory audits <strong>on</strong> regulated industries<br />
such as nuclear power stati<strong>on</strong>s, airlines, and medical device manufacturers to provide assurances of safety to<br />
the public.<br />
https://www.nrc.gov/insp-gen.html<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Government representatives perform mandatory audits <strong>on</strong> regulated industries such as nuclear<br />
power stati<strong>on</strong>s, airlines, and medical device manufacturers to provide assurances of safety to the public.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA<br />
Government representatives perform mandatory audits <strong>on</strong> regulated industries such as nuclear<br />
power stati<strong>on</strong>s, airlines, and medical device manufacturers to provide assurances of safety to the public.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
An auditor told of <strong>on</strong>e case in which an organizati<strong>on</strong> wanted to acknowledge a supplier for the perfect product it<br />
had been receiving. However, during the award process it was discovered that the supplier had absolutely no<br />
quality system in place! The supplier was able to ship an acceptable product simply because its employees<br />
were good sorters.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA2<br />
Wild Boar Hunting<br />
http://www.<strong>on</strong>linehuntingaucti<strong>on</strong>s.com/7-Day-Anatolian-Wild-Boar-Hunt-for-One-Hunter-and-One-N<strong>on</strong>-Hunter-in-Turkey-Includes-Trophy-Fee_i23666588<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Types of Quality Audits/<strong>Part</strong> IA/<br />
3. Purpose<br />
It is also comm<strong>on</strong> to refer to an audit according to its purpose or objectives. An auditor may specialize in types<br />
of audits based <strong>on</strong> the audit purpose, such as to verify:<br />
• compliance,<br />
• c<strong>on</strong>formance, or<br />
• performance.<br />
Questi<strong>on</strong>: Compliance ≡ C<strong>on</strong>formance<br />
Some audits have special administrative purposes such as auditing:<br />
• documents,<br />
• risk, or<br />
• performance or<br />
• following up <strong>on</strong> completed corrective acti<strong>on</strong>s.<br />
Audit Authority<br />
1<br />
VP<br />
Keywords:<br />
purpose or objectives<br />
purpose ≡ objectives<br />
Purpose<br />
2<br />
Compliance<br />
3<br />
Scope Producti<strong>on</strong> Line #<br />
Type<br />
Audit Against:<br />
4<br />
5<br />
Process Audit (internal)<br />
Specific Company Procedures<br />
Identifying Resources<br />
Auditor selecti<strong>on</strong> size/ numbers and<br />
qualificati<strong>on</strong> of auditors, documentati<strong>on</strong>, logistic,<br />
tools, strategies.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Purpose or Objective of Audit<br />
It is also comm<strong>on</strong> to refer to an audit according to its purpose or objectives. An auditor may<br />
specialize in types of audits based <strong>on</strong> the audit purpose, such as to verify:<br />
• compliance,<br />
• c<strong>on</strong>formance, or<br />
• performance.<br />
• documents,<br />
• risk, or<br />
• following up <strong>on</strong> completed corrective acti<strong>on</strong>s.<br />
Audit Authority<br />
Purpose<br />
Type<br />
Audit Against:<br />
1<br />
2<br />
3<br />
Scope Producti<strong>on</strong> Line #<br />
4<br />
5<br />
VP<br />
Compliance<br />
Process Audit (internal)<br />
Specific Company Procedures<br />
Identifying Resources<br />
6<br />
Auditor selecti<strong>on</strong> size/ numbers and qualificati<strong>on</strong><br />
of auditors, documentati<strong>on</strong>, logistic, tools,<br />
strategies.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Certificati<strong>on</strong> Purposes<br />
Companies in certain high- risk categories—such as toys, pressure vessels, elevators,<br />
gas appliances, and electrical and medical devices—wanting to do business in Europe must comply with<br />
C<strong>on</strong>formité Europeene Mark (CE Mark) requirements.<br />
One way for organizati<strong>on</strong>s to comply is to have their management system certified by a third- party audit<br />
organizati<strong>on</strong> to management system requirement criteria (such as ISO 9001). Customers may suggest or<br />
require that their suppliers c<strong>on</strong>form to ISO 9001, ISO 14001, or safety criteria. The U.S. Federal Acquisiti<strong>on</strong><br />
Regulati<strong>on</strong>s (FARs) 48 CFR 46.202-4 (48 CFR 46 - Quality Assurance) replaced references to government<br />
specificati<strong>on</strong>s with higher- level c<strong>on</strong>tract quality requirements. Cited higher- level c<strong>on</strong>tract quality requirements<br />
include ISO 9001, AS9100, ANSI/<strong>ASQ</strong>C E4, and ANSI/ASME NQA-1. However, this does not preclude other<br />
federal government entities, such as the Department of Energy (DOE) or the Department of Defense (DOD),<br />
from having additi<strong>on</strong>al requirements for the specific work they do (for example, nuclear facility standards/<br />
regulati<strong>on</strong>s such as Federal Register 10 CFR 830 Subpart A). Many nati<strong>on</strong>al standards have been canceled,<br />
and users have been referred to the U.S.-adopted ISO 9001 standard. A third- party audit normally results in<br />
the issuance of a certificate stating that the auditee organizati<strong>on</strong> management system complies with the<br />
requirements of a pertinent (relevant, appropriate) standard or regulati<strong>on</strong>.<br />
Third-party audits for system certificati<strong>on</strong> should be performed by organizati<strong>on</strong>s that have been evaluated and<br />
accredited by an established accreditati<strong>on</strong> board, such as the ANSI- <strong>ASQ</strong> Nati<strong>on</strong>al Accreditati<strong>on</strong> Board (ANAB).<br />
As the U.S. accreditati<strong>on</strong> body for management systems, ANAB accredits certificati<strong>on</strong> bodies for ISO 9001,<br />
ISO 13485, ISO/TS 16949 QMSs, and ISO 14001 EMSs, as well as for several other c<strong>on</strong>formity requirements<br />
standards.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
C<strong>on</strong>formité Europeene Mark<br />
Companies in certain high- risk categories—such as toys, pressure vessels, elevators,<br />
gas appliances, and electrical and medical devices—wanting to do business in Europe must comply with C<strong>on</strong>formité Europeene Mark (CE<br />
Mark) requirements.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
C<strong>on</strong>formité Europeene Mark<br />
Companies in certain high- risk categories—such as<br />
toys, pressure vessels, elevators,<br />
gas appliances, and electrical and medical devices—<br />
wanting to do business in Europe must comply with<br />
C<strong>on</strong>formité Europeene Mark (CE Mark) requirements.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Accredited Third <strong>Part</strong>y (ANAB-accredited certificati<strong>on</strong> body-CB)<br />
Third-party audits for system certificati<strong>on</strong> should be performed by organizati<strong>on</strong>s that have been evaluated and<br />
accredited by an established accreditati<strong>on</strong> board, such as:<br />
• the ANSI- <strong>ASQ</strong> Nati<strong>on</strong>al Accreditati<strong>on</strong> Board (ANAB). As the U.S. accreditati<strong>on</strong> body for management<br />
systems, ANAB accredits certificati<strong>on</strong> bodies for ISO 9001, ISO 13485, ISO/TS 16949 QMSs, and ISO<br />
14001 EMSs, as well as for several other c<strong>on</strong>formity requirements standards.<br />
• How many other US Nati<strong>on</strong>al Accreditati<strong>on</strong> Board?<br />
How many other US<br />
Nati<strong>on</strong>al Accreditati<strong>on</strong><br />
Board?<br />
Quality Systems - Aerospace - Model for Quality Assurance in Design, Development, Producti<strong>on</strong>,<br />
Installati<strong>on</strong> and Servicing AS9100<br />
Standard AS9100 includes <strong>ASQ</strong> 9001:2000 quality system requirements and specifies additi<strong>on</strong>al requirements<br />
for the quality system of the aerospace industry. For those not involved in design activities (Ref. <strong>ASQ</strong> 9002), 4.4<br />
is not applicable. It is emphasized that the quality system requirements specified in AS9100 are complementary<br />
(not alternative) to the c<strong>on</strong>tractual and applicable law and regulatory requirements. If you require the most<br />
recent versi<strong>on</strong> of this standard, please refer to AS9100A.<br />
SAE Internati<strong>on</strong>al, initially established as the Society of Automotive<br />
Engineers, is a U.S.-based, globally active professi<strong>on</strong>al associati<strong>on</strong> and<br />
standards developing organizati<strong>on</strong> for engineering professi<strong>on</strong>als in<br />
various industries. Principal emphasis is placed <strong>on</strong> transport industries<br />
such as automotive, aerospace, and commercial vehicles.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
What’s the difference between certificati<strong>on</strong>, registrati<strong>on</strong>, and<br />
accreditati<strong>on</strong>?<br />
• The terms (1) certificati<strong>on</strong> and (2) registrati<strong>on</strong> are used interchangeably to refer to verifying<br />
the c<strong>on</strong>formance of an organizati<strong>on</strong>’s management systems to a standard or other<br />
requirements.<br />
• The term accreditati<strong>on</strong> is used when validating or verifying the c<strong>on</strong>formance of a<br />
certificati<strong>on</strong> body to the requirements of nati<strong>on</strong>al and/or internati<strong>on</strong>al criteria.<br />
• Certificati<strong>on</strong> also refers to the process of validating and verifying the credentials of<br />
individuals such as auditors.<br />
• A certificati<strong>on</strong> body, also known as a registrar, is a third- party company c<strong>on</strong>tracted to<br />
evaluate the c<strong>on</strong>formance of an organizati<strong>on</strong>’s management systems to the requirements<br />
of the appropriate standard(s) and issue a certificate of c<strong>on</strong>formance when warranted.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
What’s the difference between certificati<strong>on</strong>, registrati<strong>on</strong>, and<br />
accreditati<strong>on</strong>?<br />
Certificati<strong>on</strong>/Registrati<strong>on</strong> (Awarded to Organizati<strong>on</strong>/Individual by CB)<br />
• The terms (1) certificati<strong>on</strong> and (2) registrati<strong>on</strong> are used interchangeably to refer to verifying<br />
the c<strong>on</strong>formance of an organizati<strong>on</strong>’s management systems to a standard or other<br />
requirements.<br />
• Certificati<strong>on</strong> also refers to the process of validating and verifying the credentials of<br />
individuals such as auditors.<br />
Accreditati<strong>on</strong> (Awarded to CB/ Registrar by Nati<strong>on</strong>al Accreditati<strong>on</strong> Board)<br />
• The term accreditati<strong>on</strong> is used when validating or verifying the c<strong>on</strong>formance of a<br />
certificati<strong>on</strong> body to the requirements of nati<strong>on</strong>al and/or internati<strong>on</strong>al criteria.<br />
• A certificati<strong>on</strong> body, also known as a registrar, is a third- party company c<strong>on</strong>tracted to<br />
evaluate the c<strong>on</strong>formance of an organizati<strong>on</strong>’s management systems to the requirements<br />
of the appropriate standard(s) and issue a certificate of c<strong>on</strong>formance when warranted.<br />
6<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
What’s the difference between certificati<strong>on</strong>, registrati<strong>on</strong>, and<br />
accreditati<strong>on</strong>?<br />
Nati<strong>on</strong>al Accreditati<strong>on</strong><br />
Board (UKAS/ ANAB..)<br />
Certificati<strong>on</strong> Third <strong>Part</strong>y<br />
(Either accredited of Not).<br />
Individual or Organizati<strong>on</strong><br />
being Certified.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Accreditati<strong>on</strong> Certificates from UKAS (Inspecti<strong>on</strong>/ Certificati<strong>on</strong> Body)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Accreditati<strong>on</strong> Certificates from CNAS & UKAS<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Certificati<strong>on</strong>/Registrati<strong>on</strong> by Accredited Third <strong>Part</strong>y Certificati<strong>on</strong> Body<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Certificati<strong>on</strong>/Registrati<strong>on</strong> by Accredited Third <strong>Part</strong>y Certificati<strong>on</strong> Body<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
UKAS The United Kingdom Accreditati<strong>on</strong> Service (UKAS) is the sole nati<strong>on</strong>al<br />
accreditati<strong>on</strong> body recognized by the British government to assess the competence of<br />
organizati<strong>on</strong>s that provide (1) certificati<strong>on</strong>, (2) testing, (3) inspecti<strong>on</strong> and (4) calibrati<strong>on</strong><br />
services. It evaluates these c<strong>on</strong>formity assessment bodies and then accredits them<br />
where they are found to meet the internati<strong>on</strong>ally specified standard.<br />
Were the competencies of the appointed so called BINDTs’ ―AQB‖, ―AEC‖, especially<br />
―AQB‖ individually assesses by UKAS? or the BINDT had provide positive evidence that<br />
their suppliers ―AQB‖ were audited and assessed to be satisfied UKAS competency<br />
requirement. Is it is correct for BINDT to authorized the ―AQB‖ to administrate the BINDT<br />
certificati<strong>on</strong> activities <strong>on</strong> behalf independently?<br />
<strong>Part</strong> IA3<br />
BINDT AEC & AQB (Case Study)<br />
AEC & AQB<br />
Authorized Examinati<strong>on</strong> Centre and<br />
Authorized Qualifying Body<br />
AEC – Authorised Examinati<strong>on</strong> Centre – is a locati<strong>on</strong>,<br />
approved by BINDT, where PCN examinati<strong>on</strong>s are<br />
c<strong>on</strong>ducted.<br />
AQB – Authorised Qualifying Body – is a body, independent<br />
of any single predominant interest, satisfying the criteria<br />
detailed in PCN document reference CP9 and authorised by<br />
the British Institute of NDT to prepare and administer PCN<br />
examinati<strong>on</strong>s to qualify NDT pers<strong>on</strong>nel.<br />
Document CP9 prescribes the requirements that aspirant<br />
and existing BINDT AQBs are to satisfy in order to gain and<br />
maintain authorisati<strong>on</strong> to c<strong>on</strong>duct qualificati<strong>on</strong> examinati<strong>on</strong>s<br />
leading to the award by BINDT of PCN certificati<strong>on</strong>. Such<br />
requirements cover the facilities, resources, quality systems,<br />
staff and records to be maintained.<br />
http://www.bindt.org/What-is-NDT/Index-of-acr<strong>on</strong>yms/A/AEC-and-AQB/<br />
UKAS The United Kingdom Accreditati<strong>on</strong> Service (UKAS) is the sole nati<strong>on</strong>al accreditati<strong>on</strong> body<br />
recognized by the British government to assess the competence of organizati<strong>on</strong>s that provide (1)<br />
certificati<strong>on</strong>, (2) testing, (3) inspecti<strong>on</strong> and (4) calibrati<strong>on</strong> services. It evaluates these c<strong>on</strong>formity<br />
assessment bodies and then accredits them where they are found to meet the internati<strong>on</strong>ally specified<br />
standard.<br />
Were the competencies of the appointed so called BINDTs’ ―AQB‖, ―AEC‖, (especially ―AQB‖) individually<br />
assesses by UKAS? or the BINDT had provide positive evidence that their suppliers ―AQB‖ were audited<br />
and assessed to be satisfied UKAS competency requirement. Is it is correct for BINDT to authorized the<br />
―AQB‖ to administrate the BINDT certificati<strong>on</strong> activities <strong>on</strong> behalf totally and independently?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Certificati<strong>on</strong>/Registrati<strong>on</strong> by Accredited Third <strong>Part</strong>y Certificati<strong>on</strong> Body<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
UKAS The United Kingdom Accreditati<strong>on</strong> Service (UKAS) is the sole nati<strong>on</strong>al<br />
accreditati<strong>on</strong> body recognised by the British government to assess the competence of organisati<strong>on</strong>s that<br />
provide (1) certificati<strong>on</strong>, (2) testing, (3) inspecti<strong>on</strong> and (4) calibrati<strong>on</strong> services. It evaluates these c<strong>on</strong>formity<br />
assessment bodies and then accredits them where they are found to meet the internati<strong>on</strong>ally specified standard.<br />
An organisati<strong>on</strong> accredited by UKAS can dem<strong>on</strong>strate competence, impartiality and reliability in its ability to<br />
deliver results. Accreditati<strong>on</strong> ensures that every<strong>on</strong>e from specifiers, purchasers, and suppliers (?) to c<strong>on</strong>sumers<br />
can have c<strong>on</strong>fidence in the quality of goods and in the provisi<strong>on</strong> of services throughout the supply chain. It was<br />
set up in 1995 under a memorandum of understanding with the British government (between UKAS and the<br />
Secretary of State for Business Innovati<strong>on</strong> and Skills). It resulted from the merger in 1995 of NAMAS (Nati<strong>on</strong>al<br />
Measurement Accreditati<strong>on</strong> Service) and NACCB (Nati<strong>on</strong>al Accreditati<strong>on</strong> Council for Certificati<strong>on</strong> Bodies).<br />
NAMAS was itself the result of a merger in 1985 of NATLAS (Nati<strong>on</strong>al Testing Laboratory Accreditati<strong>on</strong> Scheme)<br />
formed in 1981 and BCS (British Calibrati<strong>on</strong> Service) formed in 1966.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Performance versus Compliance/C<strong>on</strong>formance audits<br />
There has been increased emphasis <strong>on</strong> how audits can add value. Various authors use the following terms to<br />
describe an audit purpose bey<strong>on</strong>d compliance and c<strong>on</strong>formance:<br />
• value- added assessments,<br />
• management audits,<br />
• added value auditing,<br />
• and c<strong>on</strong>tinual improvement assessment.<br />
Value-Added-Auditing: it's "a systematic, disciplined approach to<br />
evaluate and improve the effectiveness of risk management, c<strong>on</strong>trol and<br />
governance processes."<br />
https://www.qualitydigest.com/oct02/articles/04_article.shtml<br />
The purpose of these audits goes bey<strong>on</strong>d traditi<strong>on</strong>al compliance and c<strong>on</strong>formance audits. The audit purpose<br />
relates to organizati<strong>on</strong> performance. Audits that determine compliance and c<strong>on</strong>formance are not focused <strong>on</strong><br />
good or poor performance. Yet performance is an important c<strong>on</strong>cern for most organizati<strong>on</strong>s.<br />
A key difference between compliance/c<strong>on</strong>formance audits and audits designed to promote improvement is the<br />
collecti<strong>on</strong> of: ―audit evidence related to organizati<strong>on</strong> performance versus evidence to verify c<strong>on</strong>formance<br />
or compliance to a standard or procedure.”<br />
An organizati<strong>on</strong> may c<strong>on</strong>form to its procedures for taking orders, but if every order is subsequently changed<br />
two or three times, management may have cause for c<strong>on</strong>cern and want to rectify the inefficiency. All types of<br />
audits—including product, process, and system and first-, sec<strong>on</strong>d-, and third- party audits—can include a<br />
purpose to identify and report performance observati<strong>on</strong>s.<br />
However, audits with an objective to identify risks and opportunities for improvement are more likely to be firstparty,<br />
process, or system audits. If an organizati<strong>on</strong>’s audit program has an objective for audits to be a<br />
management tool for improvement, performance may be included in the audit purpose.<br />
The missi<strong>on</strong> of the <strong>ASQ</strong> Audit Divisi<strong>on</strong> is ―to develop the expectati<strong>on</strong>s of the audit professi<strong>on</strong> and auditors. To<br />
promote to stakeholders auditing as a management tool to achieve c<strong>on</strong>tinuous improvement and to increase<br />
customer satisfacti<strong>on</strong>.‖<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
The missi<strong>on</strong> of the <strong>ASQ</strong> Audit Divisi<strong>on</strong> is<br />
“to develop the expectati<strong>on</strong>s of the audit professi<strong>on</strong> and<br />
auditors. To promote to stakeholders auditing as a<br />
management tool to achieve c<strong>on</strong>tinuous improvement and<br />
to increase customer satisfacti<strong>on</strong>.”<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
CAPA: The analytical aspects of both corrective and preventive acti<strong>on</strong>s also harken<br />
back to PDCA. The comp<strong>on</strong>ent of preventive acti<strong>on</strong> that encourages documentati<strong>on</strong><br />
and company educati<strong>on</strong> <strong>on</strong> innovati<strong>on</strong>s and less<strong>on</strong>s learned is similar to Yokaten in<br />
lean manufacturing.<br />
https://www.smartsheet.com/corrective-and-preventive-acti<strong>on</strong><br />
Customer<br />
satisfacti<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
CAPA: The analytical aspects of both corrective and preventive acti<strong>on</strong>s also harken back<br />
to PDCA. The comp<strong>on</strong>ent of preventive acti<strong>on</strong> that encourages documentati<strong>on</strong> and company<br />
educati<strong>on</strong> <strong>on</strong> innovati<strong>on</strong>s and less<strong>on</strong>s learned is similar to Yokaten in lean manufacturing.<br />
https://www.smartsheet.com/corrective-and-preventive-acti<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Follow-up audit<br />
A product, process, or system audit may have findings that require correcti<strong>on</strong> and<br />
corrective acti<strong>on</strong>. Since most corrective acti<strong>on</strong>s cannot be performed at the time of<br />
the audit, the audit program manager may require a follow- up audit to verify that<br />
correcti<strong>on</strong>s were made and corrective acti<strong>on</strong>s were taken. Due to the high cost of a<br />
single- purpose follow- up audit, it is normally combined with the next scheduled<br />
audit of the area. However, this decisi<strong>on</strong> should be based <strong>on</strong> the importance and<br />
risk of the finding. An organizati<strong>on</strong> may not be willing to risk a fine due to a repeat<br />
sampling equipment failure or risk sending customers a n<strong>on</strong>c<strong>on</strong>forming product.<br />
An organizati<strong>on</strong> may also c<strong>on</strong>duct follow-up audits to verify preventive acti<strong>on</strong>s<br />
were taken as a result of performance issues that may be reported as opportunities<br />
for improvement.<br />
Other times organizati<strong>on</strong>s may forward identified performance issues to management<br />
for follow- up.<br />
Keywords:<br />
.. preventive acti<strong>on</strong>s were taken as a result of performance issues that may be<br />
reported as opportunities for improvement.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA3<br />
Preventive Acti<strong>on</strong><br />
.. preventive acti<strong>on</strong>s were taken as a result of performance issues that may be<br />
reported as opportunities for improvement.<br />
Definiti<strong>on</strong>: Preventive Acti<strong>on</strong><br />
A preventive acti<strong>on</strong> is a change implemented to address a weakness (opportunities<br />
for improvement) in a management system that is not yet resp<strong>on</strong>sible for causing<br />
n<strong>on</strong>c<strong>on</strong>forming product or service.<br />
https://en.wikipedia.org/wiki/Preventive_acti<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Types of Quality Audits/<strong>Part</strong> IA<br />
4. Comm<strong>on</strong> Elements With Other Audits<br />
Regardless of the scope of a system or process audit, they all have some comm<strong>on</strong> elements.<br />
ISO 19011:2011 defines an audit as a ―systematic, independent and documented process for obtaining audit<br />
evidence [records, statements of fact, or other informati<strong>on</strong> relevant to the audit criteria and verifiable] and<br />
evaluating it objectively to determine the extent to which audit criteria [set of policies, procedures, or<br />
requirements] are fulfilled.‖<br />
Audits can address almost any topic of interest where activities or outputs result from defined plans. The scope<br />
of the audit might be product or service quality; envir<strong>on</strong>mental, marketing, or promoti<strong>on</strong>al claims; financial<br />
results and statements; health and safety c<strong>on</strong>diti<strong>on</strong>s; equal opportunity compliance; internal c<strong>on</strong>trols for<br />
operati<strong>on</strong>s (Sarbanes-Oxley); postproducti<strong>on</strong> sales and service with feedback for improvement; and the like.<br />
Basically, if an activity or status is subject to planning or reporting, it can be audited.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Audits can address almost any topic of interest where activities or outputs result from<br />
defined plans. The scope of the audit might be product or service quality; envir<strong>on</strong>mental, marketing, or<br />
promoti<strong>on</strong>al claims; financial results and statements; health and safety c<strong>on</strong>diti<strong>on</strong>s; equal opportunity<br />
compliance; internal c<strong>on</strong>trols for operati<strong>on</strong>s (Sarbanes-Oxley); postproducti<strong>on</strong> sales and service with feedback<br />
for improvement; and the like. Basically, if an activity or status is subject to planning or reporting, it can be<br />
audited.<br />
https://www.gizmodo.com.au/2012/10/how-kids-using-machines-today-compare-with-kids-using-machines-100-years-ago/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Evaluati<strong>on</strong> & Assessment<br />
Audit-like inquiries that do not fulfill all the technical requirements of an audit (such as an audit plan or avoiding<br />
c<strong>on</strong>flicts of interest) are known as:<br />
• an evaluati<strong>on</strong> or<br />
• an assessment.<br />
• a survey?<br />
Evaluati<strong>on</strong> (Compare)<br />
Comm<strong>on</strong>ly, evaluati<strong>on</strong>s are fairly subjective audit- like activities that compare current performance with some<br />
potential status, like theoretical capacity or capability of a system or process, for example. Evaluati<strong>on</strong>s are<br />
judgments. Similarly, assessments are activities that more closely align with the definiti<strong>on</strong> of an audit but lack<br />
satisfying some known and identified requirement.<br />
Assessment (Estimate)<br />
Assessments are estimates or determinati<strong>on</strong>s of significance or importance.<br />
Audit (Processes)<br />
The key c<strong>on</strong>cept is that audits, regardless of form or name, are processes. Processes c<strong>on</strong>sist of a set of<br />
resources (materials, labor, finance, and so <strong>on</strong>) called the inputs being transformed through interacti<strong>on</strong>s to<br />
create outputs. Outputs of processes are typically not just the desired product or service but also the<br />
n<strong>on</strong>c<strong>on</strong>forming product or service, waste, polluti<strong>on</strong>, and worn equipment or tooling. In most cases, unless<br />
management specifically requests the associated negative or less positive results, <strong>on</strong>ly the desired positive<br />
outputs are emphasized, and management is provided with less than the total available data or informati<strong>on</strong><br />
necessary to manage the organizati<strong>on</strong> and avoid risks. For the audit process, we have inputs of competent<br />
auditors; an authorizing, supportive client; cooperative auditee pers<strong>on</strong>nel; defined auditee plans and<br />
procedures for satisfying requirements and accomplishing objectives (purpose) ; an identified audit purpose<br />
and scope; reference documents; and appropriate administrative and infrastructure support. These inputs,<br />
al<strong>on</strong>g with a planned sequence of audit activities, provide an output of accumulated data that are transformed<br />
into useful acti<strong>on</strong>able informati<strong>on</strong> and presented to the auditee and the client in a formal report. Appropriate<br />
follow- up corrective and preventive acti<strong>on</strong>s are implemented to support improvements and mutual benefits.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Input & Output<br />
Input<br />
Audit Authority<br />
1<br />
VP<br />
Purpose<br />
2<br />
Compliance<br />
3<br />
Scope Producti<strong>on</strong> Line #<br />
Type<br />
Audit Against:<br />
4<br />
5<br />
Process Audit (internal)<br />
Specific Company Procedures<br />
Identifying Resources<br />
6<br />
Auditor selecti<strong>on</strong> size/ numbers and qualificati<strong>on</strong><br />
of auditors, documentati<strong>on</strong>, logistic, tools,<br />
strategies.<br />
Output<br />
provide an output of accumulated data<br />
that are transformed into useful<br />
acti<strong>on</strong>able informati<strong>on</strong> and presented<br />
to the auditee and the client in a<br />
formal report. Appropriate follow- up<br />
corrective and preventive acti<strong>on</strong>s are<br />
implemented to support improvements<br />
and mutual benefits.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Some comm<strong>on</strong> elements of audits include:<br />
1. Purpose and scope: ―Why are we doing this?‖ The answer will provide the purpose of the audit and lead to<br />
the proper scope (extent) of inquiry.<br />
2. Document review: Documents are reviewed during the audit preparati<strong>on</strong> phase to determine whether the<br />
auditee has developed a suitable (adequate and appropriate) set of comprehensive documents for the<br />
audited area or activities to satisfy all relevant goals and requirements. (Desk Audit to be performed during<br />
audit preparati<strong>on</strong> phase)<br />
3. Preparati<strong>on</strong> for review: Details of who will be interviewed (not until advise by the auditee organizati<strong>on</strong><br />
during entry meeting?) , at what locati<strong>on</strong>, and which aspects of the operati<strong>on</strong>s should be scheduled. Data<br />
collecti<strong>on</strong> plans are finalized.<br />
4. On-site or remote data collecti<strong>on</strong> (the audit): Actual data collecti<strong>on</strong> activities may vary somewhat (for<br />
example, a shorter opening meeting) in internal and external audits due to the familiarity of auditor(s) and<br />
auditee, and auditor’s knowledge of auditee’s processes, products, services, and infrastructure. External<br />
audits are generally more formal. Collecti<strong>on</strong> of data, however, is the same for both internal and external<br />
audits.<br />
5. Formal audit report: While most audit reports follow a prescribed format, sometimes the client (or an<br />
applicable standard) may require a unique format for the audit. Audit reports normally include an<br />
introducti<strong>on</strong>, an overall summary, findings, and c<strong>on</strong>clusi<strong>on</strong>s.<br />
6. Audit follow- up: The auditee is resp<strong>on</strong>sible for implementati<strong>on</strong> of the corrective acti<strong>on</strong> and its verificati<strong>on</strong>.<br />
An auditor may be assigned to perform a follow- up audit (an independent verificati<strong>on</strong> that the corrective<br />
acti<strong>on</strong> was implemented and effective).<br />
The auditing community c<strong>on</strong>tinues to move toward establishing comm<strong>on</strong> audit practices. The ISO 19011<br />
provides guidance <strong>on</strong> all management system audit types, such as quality, envir<strong>on</strong>mental, and occupati<strong>on</strong>al<br />
safety and health. The main differences am<strong>on</strong>g audits are the standards against which the organizati<strong>on</strong> is<br />
audited and the emphasis <strong>on</strong> certain techniques over others, depending <strong>on</strong> whether it is a quality,<br />
envir<strong>on</strong>mental, or safety audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IA4<br />
Corrective Acti<strong>on</strong> And Its Verificati<strong>on</strong><br />
6. Audit follow- up: The auditee is resp<strong>on</strong>sible for implementati<strong>on</strong> of the corrective acti<strong>on</strong> and its verificati<strong>on</strong>.<br />
An auditor may be assigned to perform a follow- up audit (an independent verificati<strong>on</strong> that the corrective<br />
acti<strong>on</strong> was implemented and effective).<br />
The auditee is resp<strong>on</strong>sible<br />
for implementati<strong>on</strong> of the<br />
corrective acti<strong>on</strong> and its<br />
verificati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Chapter 2<br />
Purpose and Scope of Audits/<strong>Part</strong> IB<br />
The type of audit to be performed may be described by its scope or purpose.<br />
An auditor may c<strong>on</strong>duct system audits of a department or functi<strong>on</strong> such as<br />
manufacturing, operati<strong>on</strong>s, or a laboratory. Process audits can be described<br />
as machining, cutting, testing, extinguishing, welding, loading, packaging, and<br />
sealing audits. Similarly, product or service audits can be described by the name<br />
of the product or service, such as X cable, ready room, package, and tire audits. An<br />
audit may also be described by its purpose, such as a verificati<strong>on</strong>, management,<br />
or compliance audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Audit Reas<strong>on</strong><br />
An audit can provide management with unbiased facts that can be used to:<br />
• Provide input to management so that they can make informed decisi<strong>on</strong>s<br />
• Keep management informed of actual or potential risks<br />
• Identify areas of opportunity for improvement<br />
• Assess pers<strong>on</strong>nel training effectiveness and equipment capability<br />
• Provide visible management support of the quality, envir<strong>on</strong>mental, safety, and other<br />
programs<br />
• Ensure <strong>on</strong>going compliance and c<strong>on</strong>formity to regulati<strong>on</strong>s and standards<br />
• Determine system and process effectiveness<br />
• Identify system and process efficiencies<br />
The purpose of most audits is to determine compliance or c<strong>on</strong>formity of a system,<br />
process, or product to requirements.<br />
An auditor may determine whether the documented system c<strong>on</strong>forms to requirements<br />
and whether it has been implemented by the users. Auditors can also determine<br />
effectiveness based <strong>on</strong> the ability of the organizati<strong>on</strong> to achieve stated objectives.<br />
Management has a need to ensure <strong>on</strong>going compliance and c<strong>on</strong>formance.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Management also needs factual informati<strong>on</strong> to stay competitive and to allocate resources. The need for<br />
system and process audits may also include:<br />
• M<strong>on</strong>itoring risk treatments<br />
• Identifying risks<br />
• Improving organizati<strong>on</strong> performance<br />
The words effectiveness, efficiency, and performance are related because they are linked to<br />
management’s interests to stay competitive and achieve budgetary goals. Public sector organizati<strong>on</strong>s<br />
are interested in effectiveness, efficiency, and performance so that they can meet budget requirements<br />
and use resources efficiently, whereas determinati<strong>on</strong> of compliance and c<strong>on</strong>formity is more closely<br />
linked to meeting requirements and maintaining the status quo. Experts state that if a process is<br />
meeting output objectives, it is an effective process. Management determines the goals and objectives.<br />
Audit evidence should indicate whether the process owners are measuring results against the stated<br />
objectives/ goals. They should know whether the process objectives are being achieved. A first- party<br />
audit may be needed by management to ensure that procedures are adequate and utilized, and to<br />
provide for early detecti<strong>on</strong> of a problem, which gives management the opportunity to identify root<br />
causes of problems and take corrective acti<strong>on</strong>.<br />
The tasks of management at whatever level in the organizati<strong>on</strong> are to identify possible sources of<br />
problems, to plan preventive acti<strong>on</strong> in order to forestall (act <strong>on</strong> advance) the problems, and to solve<br />
them should they arise. If this were not the case, managers would not be needed. When reduced to<br />
fundamentals, the vast majority of the problems are, in essence, quality problems. They are problems<br />
c<strong>on</strong>cerning the quality of work being performed, the quality of work that has been performed, the<br />
quality of items being received, the quality of informati<strong>on</strong> being communicated, the quality of available<br />
equipment, the quality of decisi<strong>on</strong>s made. All quality problems have a cost associated with them. It,<br />
therefore, follows that the avoidance, preventi<strong>on</strong>, and resoluti<strong>on</strong> of these problems equates to the<br />
preventi<strong>on</strong> and reducti<strong>on</strong> of unnecessary costs.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Sec<strong>on</strong>d-party supplier audits may be needed to help eliminate the shipping of n<strong>on</strong>c<strong>on</strong>forming<br />
products and reduce costs and waste. Audits of suppliers may promote:<br />
• partnerships that ensure a better understanding of customer expectati<strong>on</strong>s or<br />
• provide a means for technology transfer between the customer and the supplier.<br />
Sec<strong>on</strong>d- party quality audits help ensure a better final product by verifying that there are<br />
appropriate c<strong>on</strong>trols for inputs into the system. Sec<strong>on</strong>d- party envir<strong>on</strong>mental or safety audits are<br />
not the norm; however, if a customer-supplier relati<strong>on</strong>ship included envir<strong>on</strong>mental and safety<br />
requirements, they could be audited as well.<br />
The reas<strong>on</strong> for most third-party audits is to verify compliance or c<strong>on</strong>formance to specified<br />
regulati<strong>on</strong>s or standards. The regulati<strong>on</strong>s and standards may be required by law, such as in the<br />
FAA, FDA, and Department of Energy (DOE) regulati<strong>on</strong>s, or they may be voluntary, such as ISO<br />
9001, TS 16949, or AS9100. Some organizati<strong>on</strong>s seek third- party audits to improve their<br />
competitive positi<strong>on</strong>, for recogniti<strong>on</strong> in the form of a certificate, or for an award.<br />
Audit Type<br />
First-party audits<br />
Sec<strong>on</strong>d- party audits<br />
third- party audits<br />
Purpose<br />
to measure its strengths and weaknesses against its own procedures or<br />
methods and/or against external standards adopted by (voluntary) or<br />
imposed <strong>on</strong> (mandatory) the organizati<strong>on</strong>. (IA2)<br />
help ensure a better final product by verifying that there are appropriate<br />
c<strong>on</strong>trols for inputs into the system. (IB2)<br />
is to verify compliance or c<strong>on</strong>formance to specified regulati<strong>on</strong>s or standards,<br />
to improve their competitive positi<strong>on</strong>, for recogniti<strong>on</strong> in the form of a<br />
certificate, or for an award. (IB2)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
DOT 49 CFR 192<br />
Pipeline and Hazardous Materials Safety Administrati<strong>on</strong><br />
The reas<strong>on</strong> for most third- party audits is to verify compliance or c<strong>on</strong>formance to specified regulati<strong>on</strong>s or standards. The regulati<strong>on</strong>s and standards may be<br />
required by law, such as in the FAA, FDA, and Department of Energy (DOE) regulati<strong>on</strong>s, or they may be voluntary, such as ISO 9001, TS 16949, or<br />
AS9100.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IB1. Elements Of Purpose And Scope<br />
Audit Purpose<br />
It is the client’s resp<strong>on</strong>sibility to determine the purpose of an audit. Usually, this statement is specific. However,<br />
a client may state the purpose in general terms with the understanding that the lead auditor will specify the<br />
particulars to fit the situati<strong>on</strong>. In the case of an audit performed <strong>on</strong> a regular basis, the purpose may have been<br />
defined and known well in advance of the audit by all parties. First-party audits may be performed to assure<br />
management that the audited area is in compliance with particular standards and that the goals and strategies<br />
of the organizati<strong>on</strong> are being met. The following list provides example purpose statements for first- party audits.<br />
Audit Authority<br />
Purpose/ Objective<br />
1<br />
2<br />
VP<br />
Compliance<br />
3<br />
Scope Producti<strong>on</strong> Line #<br />
Type<br />
4<br />
Process Audit (internal)<br />
Purpose<br />
And Scope<br />
Audit Against:<br />
6<br />
5<br />
Specific Company Procedures<br />
Identifying Resources<br />
Auditor selecti<strong>on</strong> size/ numbers and qualificati<strong>on</strong> of<br />
auditors, documentati<strong>on</strong>, logistic, tools, strategies.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
• Who determine the purpose of audit?<br />
The Client.<br />
• Who is the Client?<br />
There is also a client, the pers<strong>on</strong> or organizati<strong>on</strong> that has requested the audit.<br />
Audits are c<strong>on</strong>ducted <strong>on</strong>ly when some<strong>on</strong>e requests <strong>on</strong>e; they do not happen<br />
by accident. There has to be a sp<strong>on</strong>sor or client with the authority<br />
to call for an audit. (<strong>HB</strong> page xx)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
First- <strong>Part</strong>y Audit<br />
The purpose of the first- party audit is to:<br />
• Ensure c<strong>on</strong>tinued compliance or c<strong>on</strong>formance (readiness) of the management<br />
system, to evaluate the effectiveness of the system in meeting the stated goals<br />
and objectives, and to identify opportunities for improvement in the product,<br />
process, and system<br />
• Review the mechanical assembly area’s compliance with procedures and to<br />
evaluate the procedures for opportunities for improvement<br />
• C<strong>on</strong>firm that project engineering, document c<strong>on</strong>trol, and procurement activities<br />
performed in support of basic design are being accomplished in accordance with<br />
the Quality Assurance Manual, selected integrated executi<strong>on</strong> procedures, and<br />
governing project procedures, including, as appropriate, client requirements<br />
• Assess the progress of the management system toward meeting the requirements<br />
of a management system standard such as ISO 9001, ISO 13485, ISO/TS 16949,<br />
ISO 22000, and ISO 14001<br />
• Identify opportunities for improved system/process effectiveness to achieve<br />
objectives<br />
• Identify process efficiencies for the delivery of products and services<br />
• Report organizati<strong>on</strong>al risks to management for evaluati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The Management Standards<br />
Assess the progress of the management system toward meeting the requirements of a management system standard such as ISO 9001,<br />
ISO 13485, ISO/TS 16949, ISO 22000, and ISO 14001<br />
The Standards<br />
Descripti<strong>on</strong>s<br />
ISO 9001<br />
ISO 13485<br />
ISO/TS 16949<br />
ISO 22000<br />
ISO 14001<br />
ISO 90001 is a set of Internati<strong>on</strong>al Standards for management and verificati<strong>on</strong> of<br />
good quality management practices.<br />
ISO 13485 is an Internati<strong>on</strong>al Organizati<strong>on</strong> for Standardizati<strong>on</strong> (ISO) standard,<br />
published in 2003, that represents the requirements for a comprehensive quality<br />
management system for the design and manufacture of medical devices.<br />
ISO/TS 16949 is an ISO technical specificati<strong>on</strong> aimed at the development of a<br />
quality management system that provides for c<strong>on</strong>tinual improvement, emphasizing<br />
defect preventi<strong>on</strong> and the reducti<strong>on</strong> of variati<strong>on</strong> and waste in the automotive<br />
industry supply chain.<br />
ISO 22000 is a Food Safety Management System that can be applied to any<br />
organizati<strong>on</strong> in the food chain, farm to fork.<br />
ISO 14000 is a family of standards related to envir<strong>on</strong>mental management that<br />
exists to help organizati<strong>on</strong>s (a) minimize how their operati<strong>on</strong>s (processes, etc.)<br />
negatively affect the envir<strong>on</strong>ment (i.e. cause adverse changes to air, water, or land);<br />
(b) comply with applicable laws, regulati<strong>on</strong>s, and other envir<strong>on</strong>mentally oriented<br />
requirements; and (c) c<strong>on</strong>tinually improve in the above.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The Management Standards<br />
The Standards<br />
ISO 9001<br />
TL 9000<br />
AS9100<br />
ISO 13485<br />
Descripti<strong>on</strong>s<br />
ISO 90001 is a set of Internati<strong>on</strong>al Standards for management and verificati<strong>on</strong> of good quality management<br />
practices.<br />
TL 9000 is a quality management practice designed by the QuEST Forum in 1998. It was created to focus <strong>on</strong><br />
supply chain directives throughout the internati<strong>on</strong>al telecommunicati<strong>on</strong>s industry, including the USA. As with<br />
ISO/TS 16949 for the automotive industry and AS9000 for the aerospace industry, TL 9000 specializes the<br />
generic ISO 9001 to meet the needs of <strong>on</strong>e industrial sector, which for TL 9000 is the informati<strong>on</strong> and<br />
communicati<strong>on</strong>s technology (ICT)—extending from service providers through ICT equipment manufacturers<br />
through the suppliers and c<strong>on</strong>tractors and subc<strong>on</strong>tractors that provide electr<strong>on</strong>ic comp<strong>on</strong>ents and software<br />
comp<strong>on</strong>ents to those ICT equipment manufacturers.<br />
AS9100 is a widely adopted and standardized quality management system for the aerospace industry. It was<br />
released in October, 1999, by the Society of Automotive Engineers and the European Associati<strong>on</strong> of Aerospace<br />
Industries.<br />
ISO 13485 Medical devices -- Quality management systems -- the requirements for a comprehensive quality<br />
management system for the design and manufacture of medical devices.<br />
ISO/TS 16949<br />
ISO 22000<br />
ISO 14001<br />
ISO/TS 16949 is an ISO technical specificati<strong>on</strong> aimed at the development of a quality management system that<br />
provides for c<strong>on</strong>tinual improvement, emphasizing defect preventi<strong>on</strong> and the reducti<strong>on</strong> of variati<strong>on</strong> and waste in the<br />
automotive industry supply chain.<br />
ISO 22000 is a Food Safety Management System that can be applied to any organizati<strong>on</strong> in the food chain, farm<br />
to fork.<br />
ISO 14000 is a family of standards related to envir<strong>on</strong>mental management that exists to help organizati<strong>on</strong>s (a)<br />
minimize how their operati<strong>on</strong>s (processes, etc.) negatively affect the envir<strong>on</strong>ment (i.e. cause adverse changes to<br />
air, water, or land); (b) comply with applicable laws, regulati<strong>on</strong>s, and other envir<strong>on</strong>mentally oriented requirements;<br />
and (c) c<strong>on</strong>tinually improve in the above.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
What Does TS in ISP/TS<br />
16949 means?<br />
https://ciiaas.files.wordpress.com/2007/11/iso-ts-16949-2002.pdf<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Meal Time<br />
今 天 晚 餐 吃 金 陵 烤 鸭<br />
金 陵 烤 鸭 是 苏 菜 菜 谱 之 一 , 以 鸭 皮 为 制 作 主 料 , 金 陵 烤 鸭 的<br />
烹 饪 技 巧 以 烤 菜 为 主 。 鸭 皮 金 红 、 香 脆 酥 松 , 油 润 光 亮 , 肉<br />
嫩 鲜 香 , 食 之 满 口 留 香 。 堪 为 色 、 香 、 味 三 绝 。 四 、 山 珍 野<br />
味 菜 烹 。<br />
20180911-1822hrs<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
As auditing has evolved, management also expects management risks to be identified. Risk<br />
exists in all processes; however, the kind and degree of risk must be managed. There may be<br />
safety (worker or customer injury), envir<strong>on</strong>mental (polluti<strong>on</strong>, fines), financial (loss of revenue,<br />
excessive cost), and customer goodwill (loss of future sales) risks. Management needs to be<br />
informed of risks to the organizati<strong>on</strong> as input into the decisi<strong>on</strong>- making process. Example<br />
objectives of a process performance audit may be to:<br />
• Determine if the system design is adequate to achieve organizati<strong>on</strong> objectives<br />
• Identify performance weaknesses and strengths<br />
• Verify process resp<strong>on</strong>siveness to customer and organizati<strong>on</strong> needs<br />
• Identify process risks and areas to be optimized<br />
Internal<br />
Process<br />
Performance<br />
Audit<br />
if the system design is adequate to<br />
achieve organizati<strong>on</strong> objectives<br />
Identify performance weaknesses<br />
and strengths<br />
Verify process resp<strong>on</strong>siveness to<br />
customer and organizati<strong>on</strong> needs<br />
C<strong>on</strong>tinuous<br />
improvement and to<br />
increase customer<br />
satisfacti<strong>on</strong><br />
(The missi<strong>on</strong> of the <strong>ASQ</strong> Audit Divisi<strong>on</strong>)<br />
Identify process risks and areas to be<br />
optimized<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Risk- Based Auditing<br />
Some audit programs may allocate resources specifically to areas that have been problematic or<br />
that are high risk. This could include product characteristics, product or process hazards,<br />
pers<strong>on</strong>nel or process safety, and envir<strong>on</strong>mental c<strong>on</strong>trols. This is often called risk- based auditing.<br />
A starting point for risk- based auditing is for the organizati<strong>on</strong> to identify and quantify its risks.<br />
Risk-based auditing is a style of auditing which focuses up<strong>on</strong> the analysis and management of risk.<br />
In the UK, the 1999 Turnbull Report <strong>on</strong> corporate governance required directors to provide a<br />
statement to shareholders of the significant risks to the business. This then encouraged the audit<br />
activity of studying these risks rather than just checking compliance with existing c<strong>on</strong>trols.[1]<br />
Standards for risk management have included the COSO guidelines and the first internati<strong>on</strong>al<br />
standard, AS/NZS 4360. The latter is now the basis for a family of internati<strong>on</strong>al standards for risk<br />
management - ISO 31000.<br />
A traditi<strong>on</strong>al audit would focus up<strong>on</strong> the transacti<strong>on</strong>s which would make up financial statements such<br />
as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential<br />
impact. Strategic risk analysis will then include political and social risks such as the potential effect of<br />
legislati<strong>on</strong> and demographic change. An experiment suggested that managers might resp<strong>on</strong>d to riskbased<br />
auditing by transferring activity to accounts which are ostensibly low risk. Auditors would need<br />
to anticipate such attempts to game the process.<br />
https://en.wikipedia.org/wiki/Risk-based_auditing<br />
Internal auditors and some external auditors should be aware of the existence of risk and that<br />
effectiveness, efficiency, performance, and risk are important factors when determining the<br />
purpose of the audit or when planning the annual audit schedule. In this secti<strong>on</strong> we have<br />
discussed organizati<strong>on</strong>al risk as a purpose of an audit. Later we will discuss audit program risk<br />
and audit process risk.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The Client in Sec<strong>on</strong>d <strong>Part</strong>y Audits<br />
For a sec<strong>on</strong>d- party audit, the audit program, the engineering and technology departments, or the<br />
purchasing department normally determines the purpose of the audit and communicates it to the<br />
auditee.<br />
The primary purpose of a sec<strong>on</strong>d- party audit is to either assess a supplier to verify that c<strong>on</strong>tract<br />
requirements are being followed or assess a potential supplier’s capability of meeting specific<br />
requirements for a product or service. By determining that the supplier is meeting the<br />
requirements specified in a c<strong>on</strong>tract, the purchaser gains c<strong>on</strong>fidence in the quality of goods and<br />
services being delivered. The following list provides example purpose statements for sec<strong>on</strong>dparty<br />
audits.<br />
Sec<strong>on</strong>dparty<br />
Audit<br />
Purchaser<br />
Customer<br />
Engineering<br />
Department<br />
Client<br />
Purchasing<br />
Dept.<br />
Client<br />
Technological<br />
Dept.<br />
Client<br />
QA,QC and<br />
other Dept.<br />
Client<br />
Supplier 1<br />
Auditee<br />
Supplier 2<br />
Auditee<br />
Supplier 3<br />
Auditee<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
• Who determine the purpose of audit?<br />
The Client.<br />
• Who is the Client?<br />
There is also a client, the pers<strong>on</strong> or organizati<strong>on</strong> that has requested the audit.<br />
- Organizati<strong>on</strong> management higher in hierarchy than the department to be<br />
audited in first party audits.<br />
- Engineering or other c<strong>on</strong>cern departments audit <strong>on</strong> supplier in sec<strong>on</strong>d<br />
party audit<br />
Audits are c<strong>on</strong>ducted <strong>on</strong>ly when some<strong>on</strong>e requests <strong>on</strong>e; they do not happen<br />
by accident. There has to be a sp<strong>on</strong>sor or client with the authority<br />
to call for an audit. (<strong>HB</strong> page xx)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The purpose of the sec<strong>on</strong>d- party audit is to:<br />
• Assess the capability of XYZ Company to meet c<strong>on</strong>tract requirements by a review of the available<br />
resources and by obtaining objective evidence of management’s commitment to the quality requirements of<br />
its product<br />
• Verify that the materials, equipment, and work being performed under C<strong>on</strong>tract 12345-P-001 are in<br />
accordance with the procurement documents, as specified in Secti<strong>on</strong> 6 of this c<strong>on</strong>tract, and that the work is<br />
being executed by qualified pers<strong>on</strong>nel<br />
• Identify the possible cause of recent n<strong>on</strong>c<strong>on</strong>formities by c<strong>on</strong>ducting a comprehensive assessment of the<br />
tasks, procedures, records, and system documentati<strong>on</strong> related to the producti<strong>on</strong> of the wireless widget<br />
• Verify that the supplier has an active envir<strong>on</strong>mental abatement (reducti<strong>on</strong>) and safety improvement program<br />
that meets customer requirements<br />
External<br />
Sec<strong>on</strong>d <strong>Part</strong>y<br />
Supplier Audit<br />
Assess the capability to meet c<strong>on</strong>tract requirements<br />
Obtaining objective evidence of management’s<br />
commitment to the quality requirements of its product<br />
Verify that the materials, equipment, and work being<br />
performed are in accordance with the c<strong>on</strong>tract req.<br />
Identify the possible cause of recent n<strong>on</strong>c<strong>on</strong>formities,<br />
RCA and CAPA.<br />
C<strong>on</strong>tinuous<br />
improvement and to<br />
increase customer<br />
satisfacti<strong>on</strong><br />
(The missi<strong>on</strong> of the <strong>ASQ</strong> Audit Divisi<strong>on</strong>)<br />
Verify that the supplier has an active envir<strong>on</strong>mental<br />
abatement (reducti<strong>on</strong>) and safety improvement program<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Most third-party audits are performed by auditing organizati<strong>on</strong>s to determine the<br />
compliance or c<strong>on</strong>formance of the auditee’s systems with agreed- up<strong>on</strong> criteria. In the<br />
case of an audit for certificati<strong>on</strong>, an auditor examines an auditee’s systems for<br />
c<strong>on</strong>formity with a specific standard (for example, ISO 9001 or ISO 14001) or current<br />
good manufacturing practices. The purpose statement for most third-party audits is<br />
very specific, as shown in the following examples.<br />
Some organizati<strong>on</strong>s seek<br />
third- party audits to improve<br />
their competitive positi<strong>on</strong>, for<br />
recogniti<strong>on</strong> in the form of a<br />
certificate, or for an award.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The purpose of the third- party audit is to:<br />
• Determine the degree of c<strong>on</strong>formity to the requirements of the standard (ISO 9001,<br />
ISO 14001, AS9100) for the purposes of certificati<strong>on</strong> of the company management<br />
system<br />
• Assess the c<strong>on</strong>formity of the system to all requirements of the internati<strong>on</strong>al<br />
standard (ISO 9001, TL9000, ISO/TS 16949) for the purpose of recommending the<br />
organizati<strong>on</strong> for certificati<strong>on</strong> to the standard or approval of a license<br />
• Assess the compliance of the organizati<strong>on</strong> to all requirements of Regulati<strong>on</strong> 123 for<br />
the purpose of recommending approval or disapproval as a supplier<br />
Third-party audits performed for regulatory purposes determine the compliance of the<br />
auditee’s systems with regulati<strong>on</strong>s or laws. These audits have penalties associated<br />
with them (fines, jail, or both), so they are very serious. The purpose of the audit is<br />
determined by the regulatory agency and is normally specified in the regulati<strong>on</strong> or law.<br />
These audits focus <strong>on</strong> detailed compliance with regulati<strong>on</strong>s or laws to ensure that<br />
companies are protecting the envir<strong>on</strong>ment, the public, and their employees.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The Purpose Of The Third- <strong>Part</strong>y Audit<br />
External<br />
Third <strong>Part</strong>y<br />
Audit<br />
Determine the degree of c<strong>on</strong>formity to the<br />
requirements of the standard for the purposes of<br />
certificati<strong>on</strong> of the company management system<br />
Assess the compliance of the organizati<strong>on</strong> to<br />
all requirements of Customer requirement for<br />
the purpose of recommending approval as a<br />
supplier. (Shell, BP, Aramco..)<br />
Certificati<strong>on</strong> for better<br />
business opportunity/<br />
Mandatory Regulatory<br />
Compliances<br />
Third-party audits performed for regulatory<br />
purposes determine the compliance of the<br />
auditee’s systems with regulati<strong>on</strong>s or laws.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Audit Scope<br />
According to ISO 19011 the audit scope is the extent and boundaries of an audit.<br />
The audit scope normally includes a descripti<strong>on</strong> of the physical locati<strong>on</strong>s, organizati<strong>on</strong>al units,<br />
activities and processes, and the time period covered. The audit scope indicates or fixes a limit<br />
or extent of the audit. The scope has been described as the breadth of the audit and may<br />
specify areas not to be included in the audit.<br />
The scope or criteria of an audit can include:<br />
• Physical locati<strong>on</strong>s<br />
• Departments, areas, or units<br />
• Products, processes, or systems<br />
• Areas excluded from the audit<br />
• Timeline for audit activities or events<br />
• Relevant system and process policies, procedures, instructi<strong>on</strong>s, and plans<br />
• Applicable standards, c<strong>on</strong>tracts, regulati<strong>on</strong>s, codes, and other legal documents<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The following list provides examples of audit scope.<br />
The scope of the audit includes:<br />
• Processes performed in the raw material storage, fermentati<strong>on</strong> and purificati<strong>on</strong><br />
suites, bulk filling area, final product storage, and the product testing laboratory.<br />
• Policies and procedures for IT security for financial computer systems. Qualityrelated<br />
computer systems will not be addressed during this audit.<br />
• The c<strong>on</strong>fined space entry and lockout/ tagout safety systems for process vessels.<br />
• C<strong>on</strong>trols in place at supplier XXX C<strong>on</strong>tainer Company for the manufacture, testing,<br />
and release of bottles and caps during the past two years.<br />
If the scope or audit criteria must be changed before or during the audit, the audit<br />
participants should be informed of the change and it should be documented in the<br />
audit plan. If two or more management systems of different areas or disciplines (e.g.,<br />
quality, safety, envir<strong>on</strong>mental) are audited together (a combined or integrated audit), it<br />
is important that the audit objectives, scope, and criteria be compatible with the<br />
objectives of the relevant audit programs.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IA-Gossip<br />
An auditor told of <strong>on</strong>e case in which an organizati<strong>on</strong> wanted to<br />
acknowledge a supplier for the perfect product it had been receiving.<br />
However, during the award process it was discovered that the supplier<br />
had absolutely no quality system in place! The supplier was able<br />
to ship an acceptable product simply because its employees were<br />
good sorters.<br />
Comments:<br />
The good sorter system was indeed a good quality system?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IA-Gossip<br />
What’s the difference between certificati<strong>on</strong>, registrati<strong>on</strong>, and accreditati<strong>on</strong>?<br />
The terms certificati<strong>on</strong> and registrati<strong>on</strong> are used interchangeably to refer to verifying the<br />
c<strong>on</strong>formance of an organizati<strong>on</strong>’s management systems to a standard or other requirements. The<br />
term accreditati<strong>on</strong> is used when validating or verifying the c<strong>on</strong>formance of a certificati<strong>on</strong> body to the<br />
requirements of nati<strong>on</strong>al and/or internati<strong>on</strong>al criteria. Certificati<strong>on</strong> also refers to the process of<br />
validating and verifying the credentials of individuals such as auditors. A certificati<strong>on</strong> body, also<br />
known as a registrar, is a third- party company c<strong>on</strong>tracted to evaluate the c<strong>on</strong>formance of an<br />
organizati<strong>on</strong>’s management systems to the requirements of the appropriate standard(s) and issue a<br />
certificate of c<strong>on</strong>formance when warranted.<br />
Comments:<br />
This a fact not gossiping? Why some certificati<strong>on</strong> bodies or registrars are using their suppliers ―AQB<br />
(Authorized Qualificati<strong>on</strong> Body)‖ to fully administrate their own functi<strong>on</strong>s? https://www.ndt.net/search/docs.php3?id=21282&c<strong>on</strong>tent=1<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IA-Gossip<br />
The universality of auditing extends to most sectors of our society,<br />
including the American Civil Liberties Uni<strong>on</strong> (ACLU), local building<br />
or fire inspectors, the Envir<strong>on</strong>mental Protecti<strong>on</strong> Agency (EPA),<br />
the Occupati<strong>on</strong>al Safety and Health Administrati<strong>on</strong> (OSHA), uni<strong>on</strong><br />
representatives, critical customers, and the Internal Revenue Service<br />
(IRS), to assess and report how well the organizati<strong>on</strong> is performing.<br />
Comments:<br />
An audit universe represents the potential range of all audit activities and is comprised of a<br />
number of auditable entities. These entities generally include a range of programs, activities,<br />
functi<strong>on</strong>s, structures and initiatives which collectively c<strong>on</strong>tribute to the achievement of the<br />
department’s strategic objectives.<br />
https://www.nrcan.gc.ca/audit/reports/1100<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IA-Gossip- Learn from<br />
https://www.nrcan.gc.ca/audit/reports/1100<br />
The Planning Process<br />
The starting point for the risk-based selecti<strong>on</strong> process is NRCan’s internal audit universe. The audit universe represents a potential<br />
range of all audit activities and is comprised of a number of auditable entities. The Audit Branch uses the departmental Program<br />
Activity Architecture (PAA) to help assess completeness of the audit universe.<br />
The next stage is to prioritize the audit universe based <strong>on</strong> a risk assessment. This is a two step process and involves preliminary and<br />
final prioritizati<strong>on</strong>. This includes management c<strong>on</strong>sultati<strong>on</strong>s, review and c<strong>on</strong>siderati<strong>on</strong> of available departmental risk informati<strong>on</strong>,<br />
including the Corporate Risk Profile (CRP), the latest Management Accountability Framework assessment, strategic review, business<br />
planning, the Report <strong>on</strong> Plans and Priorities (RPP), departmental and government priorities, the most recent tabled financial<br />
statements, and other c<strong>on</strong>siderati<strong>on</strong>s such as previous audit results (both internal and external).<br />
C<strong>on</strong>siderati<strong>on</strong> is given to other factors such as senior management requests; the Departmental Audit Committee (DAC) advice and<br />
recommendati<strong>on</strong>s; mandated audits such as Office of the Comptroller General’s horiz<strong>on</strong>tal directed audits; audits resulting from the<br />
Budget 2009 Ec<strong>on</strong>omic Acti<strong>on</strong> Plan; planned audits by other assurance providers.<br />
Finally the draft audit plan is distributed to Departmental Audit Committee for review and recommended to the Deputy Minister for<br />
approval.<br />
The following diagram highlights the four key phases used in the selecti<strong>on</strong> process for the development of a robust risk-based audit<br />
plan.<br />
https://www.nrcan.gc.ca/audit/reports/1100<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IT Risk Universes<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IA-Gossip<br />
A comm<strong>on</strong> type of assessment is termed ―statutory and regulatory compliance audit.‖ While the<br />
auditors may be trained and informed in the relevant materials and documents, they need to be<br />
careful to avoid going bey<strong>on</strong>d their competence in their reporting. For statutory issues,<br />
interpretati<strong>on</strong> of laws is often required and can be viewed as the domain of lawyers who are<br />
members of the bar. Typically, determinati<strong>on</strong> of regulatory compliance lies solely in the domain of<br />
pers<strong>on</strong>s who are formally recognized by the regulatory agency as being competent to interpret<br />
regulati<strong>on</strong>s developed by statutory authorities, for example, OSHA, the EPA, the Department of<br />
Transportati<strong>on</strong> (DOT), the Federal Aviati<strong>on</strong> Administrati<strong>on</strong> (FAA), and the Food and Drug<br />
Administrati<strong>on</strong> (FDA). Auditors may be qualified as technical subject matter experts (SMEs) but<br />
lack appropriate recogniti<strong>on</strong>s by interested bodies.<br />
Comments: Send a Lawyer to the pipeline c<strong>on</strong>structi<strong>on</strong> area to deals <strong>on</strong> the Department of<br />
Transportati<strong>on</strong> (DOT), 46CFR 192 compliances issues? https://www.gpo.gov/fdsys/granule/CFR-2011-title49-vol3/CFR-2011-title49-vol3-part192<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
…For statutory issues, interpretati<strong>on</strong> of laws is often required and can be viewed as the domain of lawyers who<br />
are members of the bar. Typically, determinati<strong>on</strong> of regulatory compliance lies solely in the domain of pers<strong>on</strong>s<br />
who are formally recognized by the regulatory agency as being competent to interpret regulati<strong>on</strong>s developed<br />
by statutory authorities…<br />
http://slideshare.net/charliech<strong>on</strong>g/api-1169-part-49-cfr-195transportati<strong>on</strong>-of-hazardous-liquids-by-pipeline<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IB2. Benefits Of Audits<br />
The benefits of an audit are numerous. Audits can verify <strong>on</strong>going c<strong>on</strong>formance to requirements<br />
and promote improvement of the organizati<strong>on</strong>’s effectiveness and efficiency. Management can<br />
utilize the objective data to make informed decisi<strong>on</strong>s regarding the achievement of organizati<strong>on</strong><br />
objectives. Auditing benefits include:<br />
• Verificati<strong>on</strong> of c<strong>on</strong>formance to requirements such as:<br />
(a) a management system,<br />
(b) regulatory and<br />
(c) c<strong>on</strong>tractual<br />
• Identificati<strong>on</strong> of risks and m<strong>on</strong>itoring of risk treatments<br />
• Identificati<strong>on</strong> of opportunities for improvement<br />
• Verificati<strong>on</strong> that projects were implemented according to plan<br />
• Determinati<strong>on</strong> of readiness of new products and processes<br />
• Verificati<strong>on</strong> of system effectiveness<br />
• Identificati<strong>on</strong> of inefficiencies and ineffective c<strong>on</strong>trols<br />
• Verificati<strong>on</strong> of corrective acti<strong>on</strong>s and their effectiveness<br />
• Identificati<strong>on</strong> and reporting of best practices<br />
• Advancing the achievement of organizati<strong>on</strong> objectives<br />
Auditors have a broad perspective of an organizati<strong>on</strong> and analyze evidence reported to<br />
management. Management can use this informati<strong>on</strong> to evaluate the organizati<strong>on</strong> and implement<br />
measures necessary to meet its objectives.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Auditing Benefits<br />
Identificati<strong>on</strong><br />
and reporting<br />
of best<br />
practices<br />
Verificati<strong>on</strong> of<br />
c<strong>on</strong>formance<br />
to<br />
requirements<br />
Identificati<strong>on</strong><br />
of risks and<br />
m<strong>on</strong>itoring of<br />
risk<br />
treatments<br />
Verificati<strong>on</strong> of<br />
corrective<br />
acti<strong>on</strong>s and<br />
their<br />
effectiveness<br />
Identificati<strong>on</strong><br />
of<br />
inefficiencies<br />
and<br />
ineffective<br />
c<strong>on</strong>trols<br />
Advancing the<br />
achievement<br />
of<br />
organizati<strong>on</strong><br />
objectives<br />
Identificati<strong>on</strong><br />
of<br />
opportunities<br />
for<br />
improvement<br />
Verificati<strong>on</strong><br />
that projects<br />
were<br />
implemented<br />
according to<br />
plan<br />
Verificati<strong>on</strong> of<br />
system<br />
effectiveness<br />
Determinati<strong>on</strong><br />
of readiness<br />
of new<br />
products and<br />
processes<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Management review should c<strong>on</strong>sider recurring n<strong>on</strong>c<strong>on</strong>formities (for example, at a particular locati<strong>on</strong> or with a<br />
particular procedure) as possible evidence that the plans and procedures should be changed.<br />
Even more useful is a management review of potential inefficiencies. When audit results are being viewed as<br />
added system informati<strong>on</strong>, auditing starts to provide the informati<strong>on</strong> needed for the ―Check‖ step in the Deming<br />
(also known as ―Shewhart‖) Plan- Do-Check-Act (PDCA; also known as the PDSA: Plan- Do-Study-Act) cycle.<br />
With the kind of informati<strong>on</strong> that process and system audits provide, management is better prepared to move<br />
forward with more- informed decisi<strong>on</strong>s. Elevati<strong>on</strong> of n<strong>on</strong>c<strong>on</strong>formity resoluti<strong>on</strong> to the PDCA paradigm (modal)<br />
requires the use of more c<strong>on</strong>temporary tools for problem solving, improvement, and overall management. The<br />
universe of opportunities expands as new knowledge and theories are developed. System and process<br />
auditing can provide this new knowledge, if understood and properly applied.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
The Shewhart c<strong>on</strong>trol chart has a baseline and upper and lower limits, shown as dashed lines,<br />
that are symmetric about the baseline. Measurements are plotted <strong>on</strong> the chart versus a time line.<br />
Measurements that are outside the limits are c<strong>on</strong>sidered to be out of c<strong>on</strong>trol.<br />
The baseline for the c<strong>on</strong>trol chart is the<br />
accepted value, an average of the<br />
historical check standard values. A<br />
minimum of 100 check standard values is<br />
required to establish an accepted value.<br />
The upper (UCL) and lower (LCL) c<strong>on</strong>trol<br />
limits are:<br />
UCL = Accepted value + k*process<br />
standard deviati<strong>on</strong><br />
LCL = Accepted value - k*process<br />
standard deviati<strong>on</strong><br />
where the process standard deviati<strong>on</strong> is<br />
the standard deviati<strong>on</strong> computed from the<br />
check standard database.<br />
18 March 1891 – 11March 1967<br />
https://www.itl.nist.gov/div898/handbook/mpc/secti<strong>on</strong>2/mpc221.htm<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
IB-Gossip<br />
A new auditor received lots of complimentary feedback from an auditee who was very close to<br />
the process he managed. A staff auditor had coached the new internal system auditor to ask<br />
reporter- type questi<strong>on</strong>s, explaining that the ―why‖ questi<strong>on</strong> was not philosophical. The answer to<br />
―why‖ gives the reas<strong>on</strong> or driver for an activity. After the audit, the manager said that he had<br />
learned more from attempting to answer and document the driver for the activity than from any<br />
previous audit experience. It reinforced the acti<strong>on</strong>s needed for an activity and surfaced<br />
unnecessary acti<strong>on</strong>s.<br />
Comments:<br />
The 5-Why did works to improve quality as a means for root cause analysis?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
5 Whys is an iterative interrogative technique used to explore the cause-and-effect relati<strong>on</strong>ships underlying a particular<br />
problem. The primary goal of the technique is to determine the root cause of a defect or problem by repeating the questi<strong>on</strong><br />
"Why?" Each answer forms the basis of the next questi<strong>on</strong>. The "5" in the name derives from an anecdotal observati<strong>on</strong> <strong>on</strong> the<br />
number of iterati<strong>on</strong>s needed to resolve the problem. Not all problems have a single root cause. If <strong>on</strong>e wishes to uncover<br />
multiple root causes, the method must be repeated asking a different sequence of questi<strong>on</strong>s each time. The method provides<br />
no hard and fast rules about what lines of questi<strong>on</strong>s to explore, or how l<strong>on</strong>g to c<strong>on</strong>tinue the search for additi<strong>on</strong>al root causes.<br />
Thus, even when the method is closely followed, the outcome still depends up<strong>on</strong> the knowledge and persistence of the<br />
people involved.<br />
The technique was originally developed by Sakichi Toyoda and was used within the Toyota Motor Corporati<strong>on</strong> during the<br />
evoluti<strong>on</strong> of its manufacturing methodologies. It is a critical comp<strong>on</strong>ent of problem-solving training, delivered as part of the<br />
inducti<strong>on</strong> into the Toyota Producti<strong>on</strong> System. The architect of the Toyota Producti<strong>on</strong> System, Taiichi Ohno, described the 5<br />
Whys method as "the basis of Toyota's scientific approach . . . by repeating why five times, the nature of the problem as well<br />
as its soluti<strong>on</strong> becomes clear." The tool has seen widespread use bey<strong>on</strong>d Toyota, and is now used within Kaizen, lean<br />
manufacturing, and Six Sigma. In other companies, it appears in other forms. Under Ricardo Semler, Semco practices "three<br />
whys" and broadens the practice to cover goal setting and decisi<strong>on</strong> making.<br />
https://en.wikipedia.org/wiki/5_Whys<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
American Society for Quality<br />
600 N Plankint<strong>on</strong> Ave, Milwaukee, WI 53203<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IB<br />
Milwaukee<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Chapter 3<br />
Criteria to Audit Against/<strong>Part</strong> IC<br />
Discussi<strong>on</strong><br />
Audit criteria is a universal term that describes the reference used by an auditor against which the evidence<br />
collected during the audit can be compared.<br />
(the others informal terms are; assessment, survey, examinati<strong>on</strong>).<br />
In the late 1980s the Quality Auditing Technical Committee (now the Audit Divisi<strong>on</strong> of <strong>ASQ</strong>)<br />
defined audit as:<br />
(<strong>ASQ</strong>) audit<br />
A planned, independent, and documented assessment to determine whether agreed- up<strong>on</strong><br />
requirements are being met. (<strong>HB</strong>)<br />
3.1 audit<br />
systematic, independent and documented process for obtaining audit evidence (3.3) and<br />
evaluating it objectively to determine the extent to which the audit criteria (3.2) are fulfilled<br />
Guidelines for auditing management systems (ISO 19011:2011)<br />
http://qic-eg.com/wp-c<strong>on</strong>tent/uploads/2015/08/BS-EN-ISO-19011-2011.pdf<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Audit Divisi<strong>on</strong> of <strong>ASQ</strong> versus ISO<br />
Definiti<strong>on</strong> <strong>on</strong> Audit (Compare)<br />
A planned, independent, and<br />
documented assessment to<br />
determine whether agreedup<strong>on</strong><br />
requirements are being<br />
met. (<strong>HB</strong>)<br />
systematic, independent and<br />
documented process for obtaining<br />
audit evidence (3.3) and evaluating<br />
it objectively to determine the<br />
extent to which the audit criteria<br />
(3.2) are fulfilled. (ISO)<br />
Assessment to determine<br />
agreed- up<strong>on</strong><br />
requirements are being<br />
met.<br />
Process for obtaining audit<br />
evidence and evaluating it<br />
objectively to determine<br />
determine the extent to<br />
which the audit criteria<br />
are fulfilled<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Audit Criteria<br />
The ISO 19011, clause 3.2 states that audit criteria are:<br />
• a set of policies,<br />
• procedures, or<br />
• requirements<br />
used as a reference against which audit evidence is compared.<br />
audit criteria (ISO 19011:2011(E))<br />
set of policies, procedures or requirements used as a reference against which audit evidence (3.3) is compared<br />
NOTE 1 Adapted from ISO 9000:2005, definiti<strong>on</strong> 3.9.3.<br />
NOTE 2 If the audit criteria are legal (including statutory or regulatory) requirements, the terms ―compliant‖ or<br />
―n<strong>on</strong>compliant‖ are often used in an audit finding (3.4).<br />
The ISO 9000 vocabulary standard explains that requirements may be generated by various stakeholders or<br />
interested parties. Requirements may be specified or they may be generally implied, such as customs or<br />
comm<strong>on</strong> practice. This definiti<strong>on</strong> recognizes that not all requirements can be specified. For example, we<br />
expect new products to arrive clean, services to be performed in a timely manner, reports to be legible, and<br />
service pers<strong>on</strong>s to practice good hygiene, even though such requirements may not be specified in a document,<br />
c<strong>on</strong>tract, or standard. The audit criteria may be referred to as system or process requirements, rules that the<br />
auditee follows, or a specific named standard or regulati<strong>on</strong>. The audit principle is that auditors audit against<br />
criteria, a set of rules or specified c<strong>on</strong>trols, and not their own opini<strong>on</strong> of what the auditee should be doing. The<br />
evidence collected, which is used as a basis for findings and the audit report, should be relevant to the audit<br />
criteria. Assigned auditors must be knowledgeable of the audit criteria, document, or standard that the<br />
organizati<strong>on</strong> is being evaluated against. Auditors must be competent, and part of that competency is<br />
knowledge of the audit criteria and their interpretati<strong>on</strong>s.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Criteria<br />
The audit principle is that auditors audit<br />
against criteria, a set of rules or specified<br />
c<strong>on</strong>trols, and not their own opini<strong>on</strong> of what the<br />
auditee should be doing.<br />
https://hubpages.com/politics/George-W-Bush-<br />
and-the-Missing-Weap<strong>on</strong>s-of-Mass-<br />
Destructi<strong>on</strong>-The-Great-Lie-of-the-Last-Century<br />
https://www.brookings.edu/events/the-interrogati<strong>on</strong>-of-saddam-hussein-and-u-s-policy-in-iraq/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Audit Requirements<br />
Audits of programs (such as quality or envir<strong>on</strong>mental programs) normally require reference standards against<br />
which to judge the adequacy of the plans. These are normally external documents that may include:<br />
• Nati<strong>on</strong>al and internati<strong>on</strong>al standards<br />
• Customer and corporate specificati<strong>on</strong>s<br />
• C<strong>on</strong>tract and customer requirements<br />
• Local and nati<strong>on</strong>al statutes and regulati<strong>on</strong>s<br />
• Industry codes and standards<br />
• Guides, handbooks, and so <strong>on</strong><br />
Standards, codes, and regulati<strong>on</strong>s . . . are issued by related industrial or professi<strong>on</strong>al associati<strong>on</strong>s, by nati<strong>on</strong>al<br />
standards writing organizati<strong>on</strong>s c<strong>on</strong>cerned with the intended market place, by local/state/nati<strong>on</strong>al legislative<br />
bodies and by internati<strong>on</strong>al bodies.<br />
Questi<strong>on</strong>:<br />
Customer and corporate specificati<strong>on</strong>s; do these include company quality manual and alike?<br />
Answer: See keyword; ―external document‖<br />
Keywords:<br />
external documents<br />
Customer and corporate<br />
specificati<strong>on</strong>s, do these<br />
include company quality<br />
manual and alike?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Performance Standards<br />
Performance standards are the documents that c<strong>on</strong>tain the norms or criteria against which an activity is<br />
measured. There are four levels of performance standards:<br />
1. Policies:<br />
Examples include corporate policy statements, internati<strong>on</strong>al and nati<strong>on</strong>al quality system standards,<br />
regulatory standards, and business sector standards.<br />
2. Manuals:<br />
Examples are corporate manuals and plant manuals. One may exist for each functi<strong>on</strong>, department, or<br />
divisi<strong>on</strong>.<br />
3. Procedural documents:<br />
These include the step- by-step requirements for doing a job.<br />
4. Detailed documents:<br />
These documents, such as drawings, purchase orders, product specificati<strong>on</strong>s, and inspecti<strong>on</strong> plans,<br />
c<strong>on</strong>tain specific requirements or instructi<strong>on</strong>s.<br />
Policies<br />
Manuals<br />
Procedural<br />
documents<br />
Detailed documents<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Performance Standards<br />
(Internal documents?)<br />
Policies<br />
Manuals<br />
Procedures<br />
Detailed<br />
Documents<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Audit Basis (C<strong>on</strong>fusi<strong>on</strong> Term?)<br />
To perform an audit, an auditor must be aware of the audit basis, sometimes called reference standards, audit<br />
criteria, or performance standards. The compliance or adequacy of a system cannot be measured until those<br />
requirements are defined. Regardless of the requirements, an audit must be performed against a basis for<br />
reference (for example, organizati<strong>on</strong> performance standards and/or nati<strong>on</strong>al standards such as ISO 9001).<br />
These reference documents may include the following:<br />
(1) management system, product, or process standards, (2) c<strong>on</strong>tracts, (3) specificati<strong>on</strong>s,<br />
(4) organizati<strong>on</strong> policies and objectives, and (5) laws or regulati<strong>on</strong>s.<br />
Dicti<strong>on</strong>ary:<br />
• Basis: foundati<strong>on</strong>, base<br />
• Criteria: criteri<strong>on</strong>, standard against which something is measured<br />
Comment <strong>on</strong> audit basis:<br />
The impartiality of<br />
auditor characteristic<br />
could be a good audit<br />
basis.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Standards (Audit against…)<br />
Certain internati<strong>on</strong>al, nati<strong>on</strong>al, and industry standards are mandated for many organizati<strong>on</strong>s. Audits verify<br />
compliance/c<strong>on</strong>formance with the applicable management system standard, whether it be ISO 9001, AS9100,<br />
TL 9000, or ISO 14001.<br />
The Standards<br />
ISO 9001<br />
TL 9000<br />
AS9100<br />
ISO 13485<br />
ISO/TS 16949<br />
ISO 22000<br />
ISO 14001<br />
Descripti<strong>on</strong>s<br />
ISO 90001 is a set of Internati<strong>on</strong>al Standards for management and verificati<strong>on</strong> of good quality management practices.<br />
TL 9000 is a quality management practice designed by the QuEST Forum in 1998. It was created to focus <strong>on</strong> supply<br />
chain directives throughout the internati<strong>on</strong>al telecommunicati<strong>on</strong>s industry, including the USA. As with ISO/TS 16949<br />
for the automotive industry and AS9000 for the aerospace industry, TL 9000 specializes the generic ISO 9001 to meet<br />
the needs of <strong>on</strong>e industrial sector, which for TL 9000 is the informati<strong>on</strong> and communicati<strong>on</strong>s technology (ICT)—<br />
extending from service providers through ICT equipment manufacturers through the suppliers and c<strong>on</strong>tractors and<br />
subc<strong>on</strong>tractors that provide electr<strong>on</strong>ic comp<strong>on</strong>ents and software comp<strong>on</strong>ents to those ICT equipment manufacturers.<br />
AS9100 is a widely adopted and standardized quality management system for the aerospace industry. It was released<br />
in October, 1999, by the Society of Automotive Engineers and the European Associati<strong>on</strong> of Aerospace Industries.<br />
ISO 13485 Medical devices -- Quality management systems - the requirements for a comprehensive quality<br />
management system for the design and manufacture of medical devices.<br />
ISO/TS 16949 is an ISO technical specificati<strong>on</strong> aimed at the development of a quality management system that<br />
provides for c<strong>on</strong>tinual improvement, emphasizing defect preventi<strong>on</strong> and the reducti<strong>on</strong> of variati<strong>on</strong> and waste in the<br />
automotive industry supply chain.<br />
ISO 22000 is a Food Safety Management System that can be applied to any organizati<strong>on</strong> in the food chain, farm to<br />
fork.<br />
ISO 14000 is a family of standards related to envir<strong>on</strong>mental management that exists to help organizati<strong>on</strong>s (a) minimize<br />
how their operati<strong>on</strong>s (processes, etc.) negatively affect the envir<strong>on</strong>ment (i.e. cause adverse changes to air, water, or<br />
land); (b) comply with applicable laws, regulati<strong>on</strong>s, and other envir<strong>on</strong>mentally oriented requirements; and (c)<br />
c<strong>on</strong>tinually improve in the above.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
An organizati<strong>on</strong> may voluntarily adopt certain standards by incorporating them into c<strong>on</strong>tracts or<br />
policies even though there is no requirement to do so. An organizati<strong>on</strong> may adopt certain<br />
standards because it is in its best interests, such as for external marketing or providing an<br />
internal structure for managing the organizati<strong>on</strong>.<br />
C<strong>on</strong>tracts (Audit against…)<br />
In a sec<strong>on</strong>d- party audit, the purchase order or other c<strong>on</strong>tract between two parties states the<br />
specific requirements that must be met, and an audit is performed to verify that the supplier is<br />
meeting those requirements. A c<strong>on</strong>tract may include references to a specific standard, such as<br />
American Nati<strong>on</strong>al Standards Institute (ANSI), American Society for Testing and Materials<br />
(ASTM) Internati<strong>on</strong>al, FAA, DOE, or FDA standards.<br />
C<strong>on</strong>tracts may specify that a supplier establish and maintain a management system standard<br />
such as ISO 9001 or ISO 13485. A third party may verify that the supplier c<strong>on</strong>forms to the<br />
management system standard.<br />
However, the customer may have additi<strong>on</strong>al requirements, referring to them as ―ISO 9001 plus‖<br />
audits.<br />
Other suppliers may not have a management system in place and may be subject to an ―ISO<br />
9001 minus‖ audit (not all ISO 9001 c<strong>on</strong>trols are required).<br />
Keywords:<br />
―ISO 9001 plus‖ audits<br />
―ISO 9001 minus‖ audit<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Specificati<strong>on</strong>s (Audit against…)<br />
Specificati<strong>on</strong>s are normally used when c<strong>on</strong>ducting product or service audits. An auditor examines<br />
physical dimensi<strong>on</strong>s, placement or arrangement of items, or chemical compositi<strong>on</strong>s, for example,<br />
to see if they are in compliance with the specified requirements.<br />
Policies and objectives (Audit against…)<br />
Internally, many companies regularly assess compliance/c<strong>on</strong>formance and effectiveness with<br />
their own policies or policy statements. These policies are often stated in manuals and are the<br />
basis for a quality, envir<strong>on</strong>mental, or safety program. Most companies publish specified<br />
objectives. Objectives may relate to cost, safety, stewardship, health, efficiency, effectiveness,<br />
optimum use of resources, and so <strong>on</strong>. Auditors can verify the progress of departments, functi<strong>on</strong>s,<br />
and projects toward the achievement of objectives.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
Laws and Regulati<strong>on</strong>s (Audit against…)<br />
Many companies perform internal audits to ensure that they are meeting all the requirements imposed by<br />
various laws and regulati<strong>on</strong>s, whether general or industry-specific.<br />
Third- party auditors within a regulatory agency use the laws and regulati<strong>on</strong>s, case law, and their internal<br />
requirements/guidelines as the basis for the audit. Auditors verify mandatory governmental standards such as<br />
FDA current good manufacturing practices (cGMPs), FAA, 10CFR 830, or Sarbanes-Oxley.<br />
The audit criteria must be stipulated as part of the audit plan. There is no minimum or maximum limit to the<br />
amount or kinds of audit criteria. However, for an audit to be performed, there must be audit criteria. If there are<br />
no criteria to compare the organizati<strong>on</strong> with, the investigati<strong>on</strong> may be called a survey or review.<br />
Keywords:<br />
survey or review<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IC<br />
What is the 'Sarbanes-Oxley Act Of 2002 - SOX'<br />
The U.S. C<strong>on</strong>gress passed the Sarbanes-Oxley Act of 2002 <strong>on</strong> July 30, 2002 to protect investors from the<br />
possibility of fraudulent accounting activities by corporati<strong>on</strong>s. The SOX Act of 2002, also known as the<br />
Corporate Resp<strong>on</strong>sibility Act of 2002, mandated strict reforms to improve financial disclosures from<br />
corporati<strong>on</strong>s and prevent accounting fraud.<br />
The Act was in resp<strong>on</strong>se to accounting malpractice in the early 2000s when public scandals such as Enr<strong>on</strong><br />
Corporati<strong>on</strong>, Tyco Internati<strong>on</strong>al plc and WorldCom shook investor c<strong>on</strong>fidence in financial statements and<br />
demanded an overhaul of regulatory standards.<br />
L<strong>on</strong>g title: An Act To protect investors by improving the accuracy and reliability of corporate disclosures made<br />
pursuant to the securities laws, and for other purposes.<br />
Read more: Sarbanes-Oxley Act Of 2002 (SOX)<br />
https://www.investopedia.com/terms/s/sarbanesoxleyact.asp#ixzz5QsrIqK4l<br />
Follow us: Investopedia <strong>on</strong> Facebook<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Chapter 4<br />
Roles and Resp<strong>on</strong>sibilities of Audit<br />
<strong>Part</strong>icipants<br />
/<strong>Part</strong> ID<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Audit <strong>Part</strong>icipants<br />
An audit involves three key participants who may interrelate in a number of ways. Described by<br />
functi<strong>on</strong>, these participants are the client, the auditor, and the auditee.<br />
• The client is the pers<strong>on</strong> or organizati<strong>on</strong> that has requested or commissi<strong>on</strong>ed the audit. The<br />
client is usually a member of senior management, and the audit is typically c<strong>on</strong>ducted of an<br />
organizati<strong>on</strong>al unit under the client’s jurisdicti<strong>on</strong>, of independent suppliers, or to support an<br />
applicati<strong>on</strong> for third- party certificati<strong>on</strong>.<br />
• The auditor is the pers<strong>on</strong> who plans and carries out the audit. An auditing organizati<strong>on</strong>, which<br />
employs auditors to carry out audits, may be internal to a company or an independent<br />
organizati<strong>on</strong>, such as the auditing group of a quality or envir<strong>on</strong>mental program certificati<strong>on</strong><br />
body or c<strong>on</strong>sulting organizati<strong>on</strong>.<br />
• The auditee is the organizati<strong>on</strong> to be audited. The auditee may be a divisi<strong>on</strong> of the client’s<br />
organizati<strong>on</strong> or an entirely separate entity, such as a supplier. In internal audits, the client is<br />
the top management and the auditee is the functi<strong>on</strong> or area to be audited.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
External Audit<br />
The following are examples of external audits:<br />
External Audit (Third-<strong>Part</strong>y Audit)<br />
• Situati<strong>on</strong>: Organizati<strong>on</strong> desires recogniti<strong>on</strong> or approval of its capability to meet a particular<br />
standard such as ISO 9001<br />
• Client: The top management of an organizati<strong>on</strong> desiring certificati<strong>on</strong>/ registrati<strong>on</strong><br />
• Auditee: The organizati<strong>on</strong> desiring certificati<strong>on</strong>/registrati<strong>on</strong><br />
• Auditing organizati<strong>on</strong>: The organizati<strong>on</strong> granting certificati<strong>on</strong>/registrati<strong>on</strong> using an auditor<br />
employed by the auditing organizati<strong>on</strong> or hired to c<strong>on</strong>duct the audit<br />
External Audit (Sec<strong>on</strong>d-<strong>Part</strong>y Audit)<br />
• Situati<strong>on</strong>: Customer organizati<strong>on</strong> desires to evaluate a supplier<br />
• Client: The interested purchasing agent, purchasing manager, or engineer<br />
• Auditee: The potential or existing supplier<br />
• Auditing organizati<strong>on</strong>: Member(s) of the customer organizati<strong>on</strong> staff or auditors under c<strong>on</strong>tract<br />
to the customer organizati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
External Audit (Regulatory Audit?)<br />
• Situati<strong>on</strong>: Regulatory organizati<strong>on</strong> verifies that supplier or operator is in compliance with requirements<br />
• Client: The regulatory agency<br />
• Auditee: The potential supplier or operator (Organizati<strong>on</strong> operating under jurisdicti<strong>on</strong> of regulatory agency?)<br />
• Auditing organizati<strong>on</strong>: Employee(s) of the regulatory agency or auditors under c<strong>on</strong>tract to the agency<br />
Internal Audit<br />
The following is an example of an internal audit:<br />
• Situati<strong>on</strong>: Organizati<strong>on</strong> desires to determine the degree of c<strong>on</strong>formity of its own organizati<strong>on</strong> elements to a<br />
predefined management system<br />
(Other objective? – Effectiveness, opportunity of improvements, risk etc.)<br />
• Client: Upper-management team of the organizati<strong>on</strong> desiring to use auditing as a management tool<br />
• Auditee: The department/functi<strong>on</strong>(s) of the organizati<strong>on</strong> to be evaluated<br />
• Auditing organizati<strong>on</strong>: Employee(s) of the organizati<strong>on</strong> or individuals hired to c<strong>on</strong>duct the audit<br />
In the internal audit example, the client can be the organizati<strong>on</strong>’s own top management.<br />
The origin of the term audit client comes from the very first applicati<strong>on</strong> of audits in the United States (external<br />
financial audits). After the Great Depressi<strong>on</strong>, laws were passed requiring a financial audit of the books of<br />
companies subject to securities and exchange regulati<strong>on</strong>s. In order for the audit results to be creditable, the<br />
audits had to be performed by outside certified public accountants (CPAs). These CPA auditors were hired by a<br />
client. Today, we call them the auditee. The CPAs delivered their report to the client, who gave it to the audit<br />
committee <strong>on</strong> the board of directors.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
The Great Depressi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
The Great Depressi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
The Great Depressi<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Roles And Resp<strong>on</strong>sibilities<br />
The audit process involves several participants. By its nature, an audit can cause<br />
stress between participants. Therefore, it is in every<strong>on</strong>e’s best interest if the<br />
participants work together to ensure a successful and effective audit. The more<br />
c<strong>on</strong>tentious (belligerent, argumentative, c<strong>on</strong>troversial) the relati<strong>on</strong>ship between<br />
participants (such as the auditor and the auditee), the more difficult it will be to<br />
achieve compliance, c<strong>on</strong>formity, or improvement.<br />
The following are audit process participants:<br />
• Client: Pers<strong>on</strong> or organizati<strong>on</strong> that requested the audit<br />
• Auditor: Pers<strong>on</strong> carrying out the audit<br />
• Lead auditor or audit team leader: Auditor resp<strong>on</strong>sible for managing the audit<br />
• Auditee: Pers<strong>on</strong> or organizati<strong>on</strong> to be audited<br />
- Escort: Pers<strong>on</strong> assigned to escort the audit team members<br />
- Coordinator: Pers<strong>on</strong> in c<strong>on</strong>tact with the lead auditor or the audit program manager<br />
in order to arrange for the audit<br />
• Audit program manager: Pers<strong>on</strong> resp<strong>on</strong>sible for the audit program<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Audit Process <strong>Part</strong>icipants<br />
The following are audit process participants:<br />
• Client: Pers<strong>on</strong> or organizati<strong>on</strong> that requested the audit<br />
• The Auditor Team: Pers<strong>on</strong>(s) carrying out the audit<br />
Audit program manager: Pers<strong>on</strong> resp<strong>on</strong>sible for the audit program<br />
Lead auditor or audit team leader: Auditor resp<strong>on</strong>sible for managing the audit<br />
Auditor: Pers<strong>on</strong> carrying out the audit<br />
• Auditee: Pers<strong>on</strong> or organizati<strong>on</strong> to be audited<br />
- Coordinator: Pers<strong>on</strong> in c<strong>on</strong>tact with the lead auditor or the audit program manager<br />
in order to arrange for the audit<br />
- Escort: Pers<strong>on</strong> assigned to escort the audit team members<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
List of Resp<strong>on</strong>sibilities and duties<br />
• Client<br />
a. Determines the need for an audit<br />
b. Determines the audit organizati<strong>on</strong> to be used<br />
c. Determines the audit purpose<br />
d. Determines overall audit scope and may c<strong>on</strong>fer with the audit program manager or<br />
lead auditor to define specifics<br />
e. Addresses budget issues<br />
f. May determine the audit team leader or delegate the resp<strong>on</strong>sibility to the audit<br />
program manager<br />
g. May choose to attend audit process meetings such as the exit meeting<br />
h. Receives the audit report<br />
i. Determines and directs the distributi<strong>on</strong> of the audit report<br />
j. Determines the need for follow-up acti<strong>on</strong>s<br />
k. Supports the audit initiative<br />
l. Follows organizati<strong>on</strong>al procedures regarding the audit process<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
List of Resp<strong>on</strong>sibilities and duties<br />
• Client<br />
Resp<strong>on</strong>sibilities<br />
Determines the need for an audit<br />
Determines the audit organizati<strong>on</strong> to be used<br />
Determines the audit purpose<br />
Determines overall audit scope and may c<strong>on</strong>fer with (ask advice from) the audit program manager or lead<br />
auditor to define specifics<br />
Addresses budget issues<br />
May determine the audit team leader or delegate the resp<strong>on</strong>sibility to the audit program manager<br />
May choose to attend audit process meetings such as the exit meeting (entry meeting?)<br />
Receives the audit report<br />
Determines and directs the distributi<strong>on</strong> of the audit report<br />
Determines the need for follow-up acti<strong>on</strong>s<br />
Supports the audit initiative<br />
Follows organizati<strong>on</strong>al procedures regarding the audit process<br />
KIV<br />
Overall Scope<br />
Team Leader<br />
Selecti<strong>on</strong><br />
Follow-up<br />
acti<strong>on</strong><br />
Organizati<strong>on</strong><br />
procedure<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The guidance given in Clauses 5 to 7 is based <strong>on</strong> the six principles outlined below.<br />
a) Integrity: the foundati<strong>on</strong> of professi<strong>on</strong>alism<br />
Auditors and the pers<strong>on</strong> managing an audit programme should:<br />
— perform their work with h<strong>on</strong>esty, diligence, and resp<strong>on</strong>sibility;<br />
— observe and comply with any applicable legal requirements;<br />
— dem<strong>on</strong>strate their competence while performing their work;<br />
— perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;<br />
— be sensitive to any influences that may be exerted <strong>on</strong> their judgement while carrying out an audit.<br />
b) Fair presentati<strong>on</strong>: the obligati<strong>on</strong> to report truthfully and accurately<br />
Audit findings, audit c<strong>on</strong>clusi<strong>on</strong>s and audit reports should reflect truthfully and accurately the audit<br />
activities. Significant obstacles encountered during the audit and unresolved diverging opini<strong>on</strong>s between<br />
the audit team and the auditee should be reported. The communicati<strong>on</strong> should be truthful, accurate,<br />
objective, timely, clear and complete.<br />
c) Due professi<strong>on</strong>al care: the applicati<strong>on</strong> of diligence and judgement in auditing<br />
Auditors should exercise due care in accordance with the importance of the task they perform and the<br />
c<strong>on</strong>fidence placed in them by the audit client and other interested parties. An important factor in carrying<br />
out their work with due professi<strong>on</strong>al care is having the ability to make reas<strong>on</strong>ed judgements in all audit<br />
situati<strong>on</strong>s.<br />
d) C<strong>on</strong>fidentiality: security of informati<strong>on</strong><br />
Auditors should exercise discreti<strong>on</strong> in the use and protecti<strong>on</strong> of informati<strong>on</strong> acquired in the course of<br />
their duties. Audit informati<strong>on</strong> should not be used inappropriately for pers<strong>on</strong>al gain by the auditor or the<br />
audit client, or in a manner detrimental to the legitimate interests of the auditee. This c<strong>on</strong>cept includes the<br />
proper handling of sensitive or c<strong>on</strong>fidential informati<strong>on</strong>.<br />
e) Independence: the basis for the impartiality of the audit and objectivity of the audit c<strong>on</strong>clusi<strong>on</strong>s<br />
Auditors should be independent of the activity being audited wherever practicable, and should in all<br />
cases act in a manner that is free from bias and c<strong>on</strong>flict of interest. For internal audits, auditors should<br />
be independent from the operating managers of the functi<strong>on</strong> being audited. Auditors should maintain <strong>on</strong> the audit evidence.<br />
For small organizati<strong>on</strong>s, it may not be possible for internal auditors to be fully independent of the activity<br />
being audited, but every effort should be made to remove bias and encourage objectivity.<br />
f) Evidence-based approach: the rati<strong>on</strong>al method for reaching reliable and reproducible audit c<strong>on</strong>clusi<strong>on</strong>s<br />
in a systematic audit process<br />
Audit evidence should be verifiable. It will in general be based <strong>on</strong> samples of the informati<strong>on</strong> available,<br />
since an audit is c<strong>on</strong>ducted during a finite period of time and with finite resources. An appropriate use of<br />
sampling should be applied, since this is closely related to the c<strong>on</strong>fidence that can be placed in the audit<br />
c<strong>on</strong>clusi<strong>on</strong>s.<br />
<strong>Part</strong> ID<br />
Auditor<br />
a. Understands the purpose and scope of the audit<br />
b. Understands the audit criteria being audited against<br />
c. Prepares for the audit<br />
d. Performs the audit to collect evidence to verify c<strong>on</strong>formance or n<strong>on</strong>c<strong>on</strong>formance to the audit<br />
criteria<br />
e. Records the results of the investigati<strong>on</strong> (perhaps <strong>on</strong> a checklist)<br />
f. Attends the opening and exit meetings<br />
g. Reports findings to the lead auditor<br />
h. Cooperates with the lead auditor<br />
i. Verifies the correcti<strong>on</strong> of previous n<strong>on</strong>c<strong>on</strong>formities if directed to do so<br />
j. Provides input to the formal report if directed to do so by the lead auditor or client<br />
k. Maintains c<strong>on</strong>fidentiality of the audit informati<strong>on</strong><br />
l. Reports c<strong>on</strong>flicts of interest to the lead auditor<br />
m. Is ethical and adheres to an organizati<strong>on</strong> code of c<strong>on</strong>duct or the principles of auditing as<br />
listed in ISO 19011, secti<strong>on</strong> 4<br />
4 Principles of auditing<br />
Auditing is characterized by reliance <strong>on</strong> a number of principles. These principles should help to make the audit<br />
an effective and reliable tool in support of management policies and c<strong>on</strong>trols, by providing informati<strong>on</strong> <strong>on</strong> which<br />
an organizati<strong>on</strong> can act in order to improve its performance. Adherence to these principles is a prerequisite for<br />
providing audit c<strong>on</strong>clusi<strong>on</strong>s that are relevant and sufficient and for enabling auditors, working independently<br />
from <strong>on</strong>e another, to reach similar c<strong>on</strong>clusi<strong>on</strong>s in similar circumstances……<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
7.2.2 Pers<strong>on</strong>al behavior<br />
Auditors should possess the necessary qualities to enable them to act in accordance with the<br />
principles of auditing as described in Clause 4.<br />
Auditors should exhibit professi<strong>on</strong>al behavior during the performance of audit activities,<br />
including being:<br />
•ethical, i.e. fair, truthful, sincere, h<strong>on</strong>est and discreet;<br />
•open-minded, i.e. willing to c<strong>on</strong>sider alternative ideas or points of view;<br />
•diplomatic, i.e. tactful in dealing with people;<br />
•observant, i.e. actively observing physical surroundings and activities;<br />
•perceptive, i.e. aware of and able to understand situati<strong>on</strong>s;<br />
•versatile, i.e. able to readily adapt to different situati<strong>on</strong>s;<br />
•tenacious, i.e. persistent and focused <strong>on</strong> achieving objectives;<br />
•decisive, i.e. able to reach timely c<strong>on</strong>clusi<strong>on</strong>s based <strong>on</strong> logical reas<strong>on</strong>ing and analysis;<br />
•self-reliant, i.e. able to act and functi<strong>on</strong> independently whilst interacting effectively with others;<br />
•acting with fortitude, i.e. able to act resp<strong>on</strong>sibly and ethically, even though these acti<strong>on</strong>s may<br />
not always be popular and may sometimes result in disagreement or c<strong>on</strong>fr<strong>on</strong>tati<strong>on</strong>;<br />
•open to improvement, i.e. willing to learn from situati<strong>on</strong>s, and striving for better audit results;<br />
•culturally sensitive, i.e. observant and respectful to the culture of the auditee;<br />
•collaborative, i.e. effectively interacting with others, including audit team members and the<br />
auditee’s pers<strong>on</strong>nel.<br />
ISO19011:2011<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Lead Auditor/Audit Team Leader<br />
a. Is resp<strong>on</strong>sible for communicati<strong>on</strong> with the client, auditor program management,<br />
and the auditee representative<br />
b. Provides audit team selecti<strong>on</strong> input if requested to do so (?)<br />
c. Communicates audit plan and requirements to auditee<br />
d. Ensures that necessary resources are available to audit team<br />
e. Ensures the team has the appropriate working papers<br />
f. Plans the audit and directs the audit team<br />
g. C<strong>on</strong>ducts audit process meetings<br />
h. Prepares audit report<br />
i. Manages the audit process and resolves c<strong>on</strong>flicts of interest or other pers<strong>on</strong>nel<br />
issues<br />
j. Ensures reports and records are properly filed and safeguarded<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Auditee<br />
a. Coordinates audit with the lead auditor<br />
b. Informs employees of the pending audit purpose and scope<br />
c. Addresses logistical issues with the lead auditor<br />
d. Provides adequate space and privacy for the opening and exit meetings<br />
e. Attends the opening and exit meetings<br />
f. Provides area for auditors to work and meet if requested<br />
g. Cooperates with the auditors<br />
h. Provides access to areas included in the audit scope<br />
i. Acknowledges audit results<br />
j. Takes corrective acti<strong>on</strong> <strong>on</strong> audit findings<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> ID<br />
Audit Program Manager<br />
a. Assigns auditors (not lead author unless delegated) to scheduled audits<br />
b. Ensures availability of resources (budgeting)<br />
c. Establishes a reporting relati<strong>on</strong>ship that ensures objective and impartial audits<br />
d. Qualifies auditors (knowledge, experience, and skills) (Teacher?)<br />
e. Establishes c<strong>on</strong>trols (procedures, criteria, plans, and objectives) for an effective<br />
and efficient audit program<br />
f. Creates, distributes, and maintains audit program schedules<br />
g. Reports audit program progress to management<br />
h. M<strong>on</strong>itors auditor performance<br />
i. Determines audit program objectives and creates plans to accomplish the<br />
objectives<br />
j. Keeps and safeguards audit program informati<strong>on</strong><br />
k. Promotes ethical behavior <strong>on</strong> the part of auditors and those involved in managing<br />
the audit program<br />
The audit participant’s role and involvement will be discussed further as topics are<br />
presented.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE<br />
Chapter 5<br />
Professi<strong>on</strong>al C<strong>on</strong>duct and C<strong>on</strong>sequences<br />
for Auditors/<strong>Part</strong> IE<br />
Ethics affect professi<strong>on</strong>al c<strong>on</strong>duct, and professi<strong>on</strong>al c<strong>on</strong>duct affects credibility. Ethics are basic<br />
philosophical c<strong>on</strong>clusi<strong>on</strong>s about whether c<strong>on</strong>duct and behavior are right or wr<strong>on</strong>g. Ethics are also<br />
moral principles by which an individual is guided. It is imperative (necessity, obligati<strong>on</strong>; command,<br />
order; ) that auditors be ethical (objective and impartial) and behave appropriately (with<br />
professi<strong>on</strong>al c<strong>on</strong>duct) in carrying out their resp<strong>on</strong>sibilities.<br />
• Professi<strong>on</strong>al c<strong>on</strong>duct is the manner in which auditors c<strong>on</strong>duct themselves. Objectivity,<br />
courtesy, h<strong>on</strong>esty, and many other character attributes combine to make up the particular<br />
c<strong>on</strong>duct of any auditor during an audit.<br />
• Liability is the degree of legal resp<strong>on</strong>sibility an individual or company has in a given situati<strong>on</strong>.<br />
Liability issues are beginning to surface with the increase in third- party auditing and<br />
certificati<strong>on</strong>/registrati<strong>on</strong>. The audit participants must provide the audit service in such a<br />
manner as not to cause harm or injury, for which the law gives a remedy to the auditee (as<br />
damages, restituti<strong>on</strong> (reparati<strong>on</strong>, compensati<strong>on</strong>, reimbursement) ,specific performance, or injuncti<strong>on</strong>).<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Professi<strong>on</strong>al c<strong>on</strong>duct is the manner in which auditors<br />
c<strong>on</strong>duct themselves. Objectivity, courtesy, h<strong>on</strong>esty, and<br />
many other character attributes combine to make up the<br />
particular c<strong>on</strong>duct of any auditor during an audit.<br />
<strong>Part</strong> IE1<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
IE1. Professi<strong>on</strong>al C<strong>on</strong>duct And Resp<strong>on</strong>sibilities<br />
Codes of ethics<br />
A code of ethics is a standard for c<strong>on</strong>duct. An auditor’s ethical and moral principles should be compatible with a<br />
formal set of ethical standards. The American Society for Quality (<strong>ASQ</strong>) developed a code of ethics that each<br />
<strong>ASQ</strong> certified individual must pledge to uphold. The c<strong>on</strong>tent of the <strong>ASQ</strong> code of ethics is included in certificati<strong>on</strong><br />
examinati<strong>on</strong>s. Acceptance of the code of ethics by the examinee is required prior to certificati<strong>on</strong>. <strong>ASQ</strong>’s code of<br />
ethics is shown in Figure 5.1.<br />
Many companies and professi<strong>on</strong>al organizati<strong>on</strong>s have developed a code of ethics to guide them in the<br />
performance of their work. The Institute of Internal Auditors (IIA) developed its code of ethics in 1974. The IIA<br />
took a slightly different approach than <strong>ASQ</strong> in the c<strong>on</strong>tent of its code of ethics. Although these codes of ethics<br />
represent different perspectives, they both have the same basic principles described in their standards of<br />
c<strong>on</strong>duct. Figure 5.2 presents the IIA code of ethics. A code of ethics serves as a guideline for performance for<br />
both the auditor and the auditee.<br />
According to Charles A. Mills: A formal code of ethics allows quality auditors to approach audit performance<br />
uniformly. A formal code provides a benchmark against which an auditee and client can measure an auditor’s<br />
activities, establish an auditor’s independence, and recognize potential c<strong>on</strong>flicts of interest. Ethical standards<br />
serve as a general behavioral guide for auditors. Auditors often rely <strong>on</strong> pers<strong>on</strong>al judgments and past<br />
experiences to determine ethical c<strong>on</strong>duct in specific situati<strong>on</strong>s, however. Auditors’ pers<strong>on</strong>alities, temperaments,<br />
auditing styles, and basic percepti<strong>on</strong>s can vary tremendously. By incorporating a set of ethical principles into<br />
their daily audit activities, auditors can maintain the high standards of c<strong>on</strong>duct, h<strong>on</strong>or, and character needed for<br />
audit results to be received as an unbiased and accurate product.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Codes of ethics<br />
The purpose of the American Society for Quality (<strong>ASQ</strong>) Code of Ethics is to establish global standards of c<strong>on</strong>duct and behavior for its members, certificati<strong>on</strong><br />
holders, and any<strong>on</strong>e else who may represent or be perceived to represent <strong>ASQ</strong>. In additi<strong>on</strong> to the code, all applicable <strong>ASQ</strong> policies and procedures should<br />
be followed. Violati<strong>on</strong>s to the Code of Ethics should be reported. Differences in work style or pers<strong>on</strong>alities should be first addressed directly with others<br />
before escalating to an ethics issue. The <strong>ASQ</strong> Professi<strong>on</strong>al Ethics and Qualificati<strong>on</strong>s Committee, appointed annually by the <strong>ASQ</strong> Board of Directors, is<br />
resp<strong>on</strong>sible for interpreting this code and applying it to specific situati<strong>on</strong>s, which may or may not be specifically called out in the text. Disciplinary acti<strong>on</strong>s will<br />
be commensurate with the seriousness of the offense and may include permanent revocati<strong>on</strong> of certificati<strong>on</strong>s and/or expulsi<strong>on</strong> from the society.<br />
Fundamental Principles<br />
<strong>ASQ</strong> requires its representatives to be h<strong>on</strong>est and transparent. Avoid c<strong>on</strong>flicts of interest and plagiarism. Do not harm others. Treat them with respect,<br />
dignity, and fairness. Be professi<strong>on</strong>al and socially resp<strong>on</strong>sible. Advance the role and percepti<strong>on</strong> of the Quality professi<strong>on</strong>al.<br />
Expectati<strong>on</strong>s of a Quality Professi<strong>on</strong>al<br />
• Act with Integrity and H<strong>on</strong>esty<br />
Strive to uphold and advance the integrity, h<strong>on</strong>or, and dignity of the Quality professi<strong>on</strong>.<br />
Be truthful and transparent in all professi<strong>on</strong>al interacti<strong>on</strong>s and activities.<br />
Execute professi<strong>on</strong>al resp<strong>on</strong>sibilities and make decisi<strong>on</strong>s in an objective, factual, and fully informed manner.<br />
Accurately represent and do not mislead others regarding professi<strong>on</strong>al qualificati<strong>on</strong>s, including educati<strong>on</strong>, titles, affiliati<strong>on</strong>s, and certificati<strong>on</strong>s.<br />
Offer services, provide advice, and undertake assignments <strong>on</strong>ly in your areas of competence, expertise, and training.<br />
• Dem<strong>on</strong>strate Resp<strong>on</strong>sibility, Respect, and Fairness<br />
Hold paramount the safety, health, and welfare of individuals, the public, and the envir<strong>on</strong>ment.<br />
Avoid c<strong>on</strong>duct that unjustly harms or threatens the reputati<strong>on</strong> of the Society, its members, or the Quality professi<strong>on</strong>.<br />
Do not intenti<strong>on</strong>ally cause harm to others through words or deeds. Treat others fairly, courteously, with dignity, and without prejudice or<br />
discriminati<strong>on</strong>.<br />
Act and c<strong>on</strong>duct business in a professi<strong>on</strong>al and socially resp<strong>on</strong>sible manner.<br />
Allow diversity in the opini<strong>on</strong>s and pers<strong>on</strong>al lives of others.<br />
• Safeguard Proprietary Informati<strong>on</strong> and Avoid C<strong>on</strong>flicts of Interest<br />
Ensure the protecti<strong>on</strong> and integrity of c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Do not use c<strong>on</strong>fidential informati<strong>on</strong> for pers<strong>on</strong>al gain.<br />
Fully disclose and avoid any real or perceived c<strong>on</strong>flicts of interest that could reas<strong>on</strong>ably impair objectivity or independence in the service of clients,<br />
customers, employers, or the Society.<br />
Give credit where it is due.<br />
Do not plagiarize. Do not use the intellectual property of others without permissi<strong>on</strong>. Document the permissi<strong>on</strong> as it is obtained<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Codes of ethics<br />
The purpose of the American Society for Quality (<strong>ASQ</strong>) Code of Ethics is to establish global standards of c<strong>on</strong>duct and behavior for its members, certificati<strong>on</strong> holders, and<br />
any<strong>on</strong>e else who may represent or be perceived to represent <strong>ASQ</strong>. In additi<strong>on</strong> to the code, all applicable <strong>ASQ</strong> policies and procedures should be followed. Violati<strong>on</strong>s to the<br />
Code of Ethics should be reported. Differences in work style or pers<strong>on</strong>alities should be first addressed directly with others before escalating to an ethics issue. The <strong>ASQ</strong><br />
Professi<strong>on</strong>al Ethics and Qualificati<strong>on</strong>s Committee, appointed annually by the <strong>ASQ</strong> Board of Directors, is resp<strong>on</strong>sible for interpreting this code and applying it to specific<br />
situati<strong>on</strong>s, which may or may not be specifically called out in the text. Disciplinary acti<strong>on</strong>s will be commensurate with the seriousness of the offense and may include permanent<br />
revocati<strong>on</strong> of certificati<strong>on</strong>s and/or expulsi<strong>on</strong> from the society.<br />
Fundamental Principles<br />
<strong>ASQ</strong> requires its representatives to be h<strong>on</strong>est and transparent. Avoid c<strong>on</strong>flicts of interest and plagiarism. Do not harm others. Treat them with respect, dignity, and fairness. Be<br />
professi<strong>on</strong>al and socially resp<strong>on</strong>sible. Advance the role and percepti<strong>on</strong> of the Quality professi<strong>on</strong>al.<br />
Expectati<strong>on</strong>s of a Quality Professi<strong>on</strong>al<br />
• Act with Integrity and H<strong>on</strong>esty<br />
Strive to uphold and advance the integrity, h<strong>on</strong>or, and dignity of the Quality professi<strong>on</strong>.<br />
Be truthful and transparent in all professi<strong>on</strong>al interacti<strong>on</strong>s and activities.<br />
Execute professi<strong>on</strong>al resp<strong>on</strong>sibilities and make decisi<strong>on</strong>s in an objective, factual, and fully informed manner.<br />
Accurately represent and do not mislead others regarding professi<strong>on</strong>al qualificati<strong>on</strong>s, including educati<strong>on</strong>, titles, affiliati<strong>on</strong>s, and certificati<strong>on</strong>s.<br />
Offer services, provide advice, and undertake assignments <strong>on</strong>ly in your areas of competence, expertise, and training.<br />
• Dem<strong>on</strong>strate Resp<strong>on</strong>sibility, Respect, and Fairness<br />
Hold paramount the safety, health, and welfare of individuals, the public, and the envir<strong>on</strong>ment.<br />
Avoid c<strong>on</strong>duct that unjustly harms or threatens the reputati<strong>on</strong> of the Society, its members, or the Quality professi<strong>on</strong>.<br />
Do not intenti<strong>on</strong>ally cause harm to others through words or deeds. Treat others fairly, courteously, with dignity, and without prejudice or<br />
discriminati<strong>on</strong>.<br />
Act and c<strong>on</strong>duct business in a professi<strong>on</strong>al and socially resp<strong>on</strong>sible manner.<br />
Allow diversity in the opini<strong>on</strong>s and pers<strong>on</strong>al lives of others.<br />
• Safeguard Proprietary Informati<strong>on</strong> and Avoid C<strong>on</strong>flicts of Interest<br />
Ensure the protecti<strong>on</strong> and integrity of c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Do not use c<strong>on</strong>fidential informati<strong>on</strong> for pers<strong>on</strong>al gain.<br />
Fully disclose and avoid any real or perceived c<strong>on</strong>flicts of interest that could reas<strong>on</strong>ably impair objectivity or independence in the service of clients,<br />
customers, employers, or the Society.<br />
Give credit where it is due.<br />
Do not plagiarize. Do not use the intellectual property of others without permissi<strong>on</strong>. Document the permissi<strong>on</strong> as it is obtained<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Codes of ethics<br />
The purpose of the American Society for Quality (<strong>ASQ</strong>) Code of Ethics is to establish global standards of c<strong>on</strong>duct and behavior for its members, certificati<strong>on</strong> holders, and any<strong>on</strong>e else who may represent or be<br />
perceived to represent <strong>ASQ</strong>. In additi<strong>on</strong> to the code, all applicable <strong>ASQ</strong> policies and procedures should be followed. Violati<strong>on</strong>s to the Code of Ethics should be reported. Differences in work style or pers<strong>on</strong>alities<br />
should be first addressed directly with others before escalating to an ethics issue. The <strong>ASQ</strong> Professi<strong>on</strong>al Ethics and Qualificati<strong>on</strong>s Committee, appointed annually by the <strong>ASQ</strong> Board of Directors, is resp<strong>on</strong>sible for<br />
interpreting this code and applying it to specific situati<strong>on</strong>s, which may or may not be specifically called out in the text. Disciplinary acti<strong>on</strong>s will be commensurate with the seriousness of the offense and may include<br />
permanent revocati<strong>on</strong> of certificati<strong>on</strong>s and/or expulsi<strong>on</strong> from the society.<br />
<strong>Part</strong> IE1<br />
Fundamental Principles<br />
<strong>ASQ</strong> requires its representatives to be h<strong>on</strong>est and transparent. Avoid c<strong>on</strong>flicts of interest and plagiarism. Do not harm others. Treat them with respect, dignity, and fairness. Be professi<strong>on</strong>al and socially resp<strong>on</strong>sible.<br />
Advance the role and percepti<strong>on</strong> of the Quality professi<strong>on</strong>al.<br />
Expectati<strong>on</strong>s of a Quality Professi<strong>on</strong>al<br />
• Act with Integrity and H<strong>on</strong>esty<br />
Strive to uphold and advance the integrity, h<strong>on</strong>or, and dignity of the Quality professi<strong>on</strong>.<br />
Be truthful and transparent in all professi<strong>on</strong>al interacti<strong>on</strong>s and activities.<br />
Execute professi<strong>on</strong>al resp<strong>on</strong>sibilities and make decisi<strong>on</strong>s in an objective, factual, and fully informed manner.<br />
Accurately represent and do not mislead others regarding professi<strong>on</strong>al qualificati<strong>on</strong>s, including educati<strong>on</strong>, titles, affiliati<strong>on</strong>s, and certificati<strong>on</strong>s.<br />
Offer services, provide advice, and undertake assignments <strong>on</strong>ly in your areas of competence, expertise, and training.<br />
• Dem<strong>on</strong>strate Resp<strong>on</strong>sibility, Respect, and Fairness<br />
Hold paramount the safety, health, and welfare of individuals, the public, and the envir<strong>on</strong>ment.<br />
Avoid c<strong>on</strong>duct that unjustly harms or threatens the reputati<strong>on</strong> of the Society, its members, or the Quality professi<strong>on</strong>.<br />
Do not intenti<strong>on</strong>ally cause harm to others through words or deeds. Treat others fairly, courteously, with dignity, and without prejudice or discriminati<strong>on</strong>.<br />
Act and c<strong>on</strong>duct business in a professi<strong>on</strong>al and socially resp<strong>on</strong>sible manner.<br />
Allow diversity in the opini<strong>on</strong>s and pers<strong>on</strong>al lives of others.<br />
• Safeguard Proprietary Informati<strong>on</strong> and Avoid C<strong>on</strong>flicts of Interest<br />
Ensure the protecti<strong>on</strong> and integrity of c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Do not use c<strong>on</strong>fidential informati<strong>on</strong> for pers<strong>on</strong>al gain.<br />
Fully disclose and avoid any real or perceived c<strong>on</strong>flicts of interest that could reas<strong>on</strong>ably impair objectivity or independence in the service of clients, customers, employers, or<br />
the Society.<br />
Give credit where it is due.<br />
Do not plagiarize. Do not use the intellectual property of others without permissi<strong>on</strong>. Document the permissi<strong>on</strong> as it is obtained<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Codes of ethics<br />
The purpose of the American Society for Quality (<strong>ASQ</strong>) Code of Ethics is to establish global standards of c<strong>on</strong>duct and behavior for its members, certificati<strong>on</strong> holders, and any<strong>on</strong>e else who may represent or be<br />
perceived to represent <strong>ASQ</strong>. In additi<strong>on</strong> to the code, all applicable <strong>ASQ</strong> policies and procedures should be followed. Violati<strong>on</strong>s to the Code of Ethics should be reported. Differences in work style or pers<strong>on</strong>alities<br />
should be first addressed directly with others before escalating to an ethics issue. The <strong>ASQ</strong> Professi<strong>on</strong>al Ethics and Qualificati<strong>on</strong>s Committee, appointed annually by the <strong>ASQ</strong> Board of Directors, is resp<strong>on</strong>sible for<br />
interpreting this code and applying it to specific situati<strong>on</strong>s, which may or may not be specifically called out in the text. Disciplinary acti<strong>on</strong>s will be commensurate with the seriousness of the offense and may include<br />
permanent revocati<strong>on</strong> of certificati<strong>on</strong>s and/or expulsi<strong>on</strong> from the society.<br />
<strong>Part</strong> IE1<br />
Fundamental Principles<br />
<strong>ASQ</strong> requires its representatives to be h<strong>on</strong>est and transparent. Avoid c<strong>on</strong>flicts of interest and plagiarism. Do not harm others. Treat them with respect, dignity, and fairness. Be professi<strong>on</strong>al and socially resp<strong>on</strong>sible.<br />
Advance the role and percepti<strong>on</strong> of the Quality professi<strong>on</strong>al.<br />
Expectati<strong>on</strong>s of a Quality Professi<strong>on</strong>al<br />
• Act with Integrity and H<strong>on</strong>esty<br />
Strive to uphold and advance the integrity, h<strong>on</strong>or, and dignity of the Quality professi<strong>on</strong>.<br />
Be truthful and transparent in all professi<strong>on</strong>al interacti<strong>on</strong>s and activities.<br />
Execute professi<strong>on</strong>al resp<strong>on</strong>sibilities and make decisi<strong>on</strong>s in an objective, factual, and fully informed manner.<br />
Accurately represent and do not mislead others regarding professi<strong>on</strong>al qualificati<strong>on</strong>s, including educati<strong>on</strong>, titles, affiliati<strong>on</strong>s, and certificati<strong>on</strong>s.<br />
Offer services, provide advice, and undertake assignments <strong>on</strong>ly in your areas of competence, expertise, and training.<br />
• Dem<strong>on</strong>strate Resp<strong>on</strong>sibility, Respect, and Fairness<br />
Hold paramount the safety, health, and welfare of individuals, the public, and the envir<strong>on</strong>ment.<br />
Avoid c<strong>on</strong>duct that unjustly harms or threatens the reputati<strong>on</strong> of the Society, its members, or the Quality professi<strong>on</strong>.<br />
Do not intenti<strong>on</strong>ally cause harm to others through words or deeds. Treat others fairly, courteously, with dignity, and without prejudice or discriminati<strong>on</strong>.<br />
Act and c<strong>on</strong>duct business in a professi<strong>on</strong>al and socially resp<strong>on</strong>sible manner.<br />
Allow diversity in the opini<strong>on</strong>s and pers<strong>on</strong>al lives of others.<br />
• Safeguard Proprietary Informati<strong>on</strong> and Avoid C<strong>on</strong>flicts of Interest<br />
Ensure the protecti<strong>on</strong> and integrity of c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Do not use c<strong>on</strong>fidential informati<strong>on</strong> for pers<strong>on</strong>al gain.<br />
Fully disclose and avoid any real or perceived c<strong>on</strong>flicts of interest that could reas<strong>on</strong>ably impair objectivity or independence in the service of clients, customers, employers, or<br />
the Society.<br />
Give credit where it is due.<br />
Do not plagiarize. Do not use the intellectual property of others without permissi<strong>on</strong>. Document the permissi<strong>on</strong> as it is obtained<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Codes of ethics<br />
The purpose of the American Society for Quality (<strong>ASQ</strong>) Code of Ethics is to establish global standards of c<strong>on</strong>duct and behavior for its members, certificati<strong>on</strong> holders, and any<strong>on</strong>e else who may represent or be<br />
perceived to represent <strong>ASQ</strong>. In additi<strong>on</strong> to the code, all applicable <strong>ASQ</strong> policies and procedures should be followed. Violati<strong>on</strong>s to the Code of Ethics should be reported. Differences in work style or pers<strong>on</strong>alities<br />
should be first addressed directly with others before escalating to an ethics issue. The <strong>ASQ</strong> Professi<strong>on</strong>al Ethics and Qualificati<strong>on</strong>s Committee, appointed annually by the <strong>ASQ</strong> Board of Directors, is resp<strong>on</strong>sible for<br />
interpreting this code and applying it to specific situati<strong>on</strong>s, which may or may not be specifically called out in the text. Disciplinary acti<strong>on</strong>s will be commensurate with the seriousness of the offense and may include<br />
permanent revocati<strong>on</strong> of certificati<strong>on</strong>s and/or expulsi<strong>on</strong> from the society.<br />
Fundamental Principles<br />
<strong>ASQ</strong> requires its representatives to be h<strong>on</strong>est and transparent. Avoid c<strong>on</strong>flicts of interest and plagiarism. Do not harm others. Treat them with respect, dignity, and fairness. Be professi<strong>on</strong>al and socially resp<strong>on</strong>sible.<br />
Advance the role and percepti<strong>on</strong> of the Quality professi<strong>on</strong>al.<br />
Expectati<strong>on</strong>s of a Quality Professi<strong>on</strong>al<br />
• Act with Integrity and H<strong>on</strong>esty<br />
Strive to uphold and advance the integrity, h<strong>on</strong>or, and dignity of the Quality professi<strong>on</strong>.<br />
Be truthful and transparent in all professi<strong>on</strong>al interacti<strong>on</strong>s and activities.<br />
Execute professi<strong>on</strong>al resp<strong>on</strong>sibilities and make decisi<strong>on</strong>s in an objective, factual, and fully informed manner.<br />
Accurately represent and do not mislead others regarding professi<strong>on</strong>al qualificati<strong>on</strong>s, including educati<strong>on</strong>, titles, affiliati<strong>on</strong>s, and certificati<strong>on</strong>s.<br />
Offer services, provide advice, and undertake assignments <strong>on</strong>ly in your areas of competence, expertise, and training.<br />
• Dem<strong>on</strong>strate Resp<strong>on</strong>sibility, Respect, and Fairness<br />
Hold paramount the safety, health, and welfare of individuals, the public, and the envir<strong>on</strong>ment.<br />
Avoid c<strong>on</strong>duct that unjustly harms or threatens the reputati<strong>on</strong> of the Society, its members, or the Quality professi<strong>on</strong>.<br />
Do not intenti<strong>on</strong>ally cause harm to others through words or deeds. Treat others fairly, courteously, with dignity, and without prejudice or discriminati<strong>on</strong>.<br />
Act and c<strong>on</strong>duct business in a professi<strong>on</strong>al and socially resp<strong>on</strong>sible manner.<br />
Allow diversity in the opini<strong>on</strong>s and pers<strong>on</strong>al lives of others.<br />
• Safeguard Proprietary Informati<strong>on</strong> and Avoid C<strong>on</strong>flicts of Interest<br />
Ensure the protecti<strong>on</strong> and integrity of c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Do not use c<strong>on</strong>fidential informati<strong>on</strong> for pers<strong>on</strong>al gain.<br />
Fully disclose and avoid any real or perceived c<strong>on</strong>flicts of interest that could reas<strong>on</strong>ably impair objectivity or independence in the service of clients, customers, employers, or<br />
the Society.<br />
Give credit where it is due.<br />
Do not plagiarize. Do not use the intellectual property of others without permissi<strong>on</strong>. Document the permissi<strong>on</strong> as it is obtained<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
https://asq.org/about-asq/code-of-ethics<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
The Institute of Internal Auditors code of Ethics<br />
The Code of Ethics states the principles and expectati<strong>on</strong>s governing the behavior of individuals and organizati<strong>on</strong>s in the c<strong>on</strong>duct<br />
of internal auditing. It describes the minimum requirements for c<strong>on</strong>duct, and behavioral expectati<strong>on</strong>s rather than specific activities.<br />
Code of Ethics—Principles<br />
Internal auditors are expected to apply and uphold the following principles:<br />
1. Integrity<br />
The integrity of internal auditors establishes trust and thus provides the basis for reliance <strong>on</strong> their judgment.<br />
2. Objectivity<br />
Internal auditors exhibit the highest level of professi<strong>on</strong>al objectivity in gathering, evaluating, and communicating informati<strong>on</strong> about the activity or process<br />
being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by<br />
others in forming judgments.<br />
3. C<strong>on</strong>fidentiality<br />
Internal auditors respect the value and ownership of informati<strong>on</strong> they receive and do not disclose informati<strong>on</strong> without appropriate authority unless there is a<br />
legal or professi<strong>on</strong>al obligati<strong>on</strong> to do so.<br />
4. Competency<br />
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.<br />
Rules of C<strong>on</strong>duct<br />
1. Integrity—Internal auditors:<br />
1.1. Shall perform their work with h<strong>on</strong>esty, diligence, and resp<strong>on</strong>sibility.<br />
1.2. Shall observe the law and make disclosures expected by the law and the professi<strong>on</strong>.<br />
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the professi<strong>on</strong> of internal auditing or to the organizati<strong>on</strong>.<br />
1.4. Shall respect and c<strong>on</strong>tribute to the legitimate and ethical objectives of the organizati<strong>on</strong>.<br />
2. Objectivity—Internal auditors:<br />
2.1. Shall not participate in any activity or relati<strong>on</strong>ship that may impair or be presumed to impair their unbiased assessment. This participati<strong>on</strong> includes those<br />
activities or relati<strong>on</strong>ships that may be in c<strong>on</strong>flict with the interests of the organizati<strong>on</strong>.<br />
2.2. Shall not accept anything that may impair or be presumed to impair their professi<strong>on</strong>al judgment.<br />
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.<br />
3. C<strong>on</strong>fidentiality—Internal auditors:<br />
3.1. Shall be prudent in the use and protecti<strong>on</strong> of informati<strong>on</strong> acquired in the course of their duties.<br />
3.2. Shall not use informati<strong>on</strong> for any pers<strong>on</strong>al gain or in any manner that would be c<strong>on</strong>trary to the law or detrimental to the legitimate and ethical objectives<br />
of the organizati<strong>on</strong>.<br />
4. Competency—Internal auditors:<br />
4.1. Shall engage <strong>on</strong>ly in those services for which they have the necessary knowledge, skills, and experience.<br />
4.2. Shall perform internal audit services in accordance with the Internati<strong>on</strong>al Standards for the Professi<strong>on</strong>al Practice of Internal Auditing (Standards).<br />
4.3. Shall c<strong>on</strong>tinually improve their proficiency and the effectiveness and quality of their services.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
The Institute of Internal Auditors code of Ethics<br />
1.3. Shall not knowingly be a party to any illegal activity,<br />
or engage in acts that are discreditable to the professi<strong>on</strong> of internal auditing or to the organizati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
The Institute of Internal Auditors code of Ethics<br />
1.3. Shall not knowingly be a party to any illegal activity,<br />
or engage in acts that are discreditable to the professi<strong>on</strong> of internal auditing or to the organizati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
The Institute of Internal Auditors code of Ethics<br />
1.3. Shall not knowingly be a party to any illegal activity,<br />
or engage in acts that are discreditable to the professi<strong>on</strong> of internal auditing or to the organizati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The Institute of Internal<br />
Auditors code of Ethics<br />
1.3. Shall not knowingly be a party to any illegal activity, or<br />
engage in acts that are discreditable to the professi<strong>on</strong> of internal<br />
auditing or to the organizati<strong>on</strong>.<br />
<strong>Part</strong> IE1<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
The Institute of Internal<br />
Auditors code of Ethics<br />
1.3. Shall not knowingly be a party to any illegal activity, or<br />
engage in acts that are discreditable to the professi<strong>on</strong> of internal<br />
auditing or to the organizati<strong>on</strong>.<br />
<strong>Part</strong> IE1<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>flict of Interest<br />
The subject of c<strong>on</strong>flict of interest often arises during audits. C<strong>on</strong>flict-of-interest situati<strong>on</strong>s sometimes<br />
encountered prior to and during audits include:<br />
• Previous employment of the auditor (or close relative) by the auditee or a major competitor of the auditee,<br />
regardless of the reas<strong>on</strong> for separati<strong>on</strong><br />
• Holding of significant amounts of stocks or b<strong>on</strong>ds in the auditee’s business or that of a major competitor<br />
• Previous or current close working relati<strong>on</strong>ship (for example, teaming partner, major supplier) with the<br />
organizati<strong>on</strong><br />
• Prior involvement by the auditor in developing the quality program or procedures used by the group being<br />
audited<br />
• Desire to be hired by the group being audited<br />
• Close friendships within the group being audited<br />
• Offer by auditee of m<strong>on</strong>ey, goods, or services in the nature of a bribe, kickback, or secret commissi<strong>on</strong><br />
• Acceptance of a gift (m<strong>on</strong>ey, gratuity, or other thing of value) with more than a nominal value, or<br />
involvement in auditee- sp<strong>on</strong>sored sales promoti<strong>on</strong>s or other activities that may represent or be c<strong>on</strong>strued<br />
as a c<strong>on</strong>flict of interest<br />
• Performance of outside work for the auditee that might adversely affect the auditor’s performance or<br />
judgment <strong>on</strong> the job<br />
The auditor should be aware of the different types of c<strong>on</strong>flicts of interest. Prior to accepting an audit, auditors<br />
should examine their activities and relati<strong>on</strong>ship with the auditee and determine whether an actual or potential<br />
c<strong>on</strong>flict of interest exists. For example, if after the start of an audit an auditor realizes that <strong>on</strong>e of the department<br />
managers of the auditee organizati<strong>on</strong> is a past pers<strong>on</strong>al friend or mentor, the auditor should immediately report<br />
(to whom?) a potential c<strong>on</strong>flict of interest even though the audit of the <strong>on</strong>-site activities has already started.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>flict of Interest Exists<br />
(am<strong>on</strong>g other obvious situati<strong>on</strong>s)<br />
Previous employment of<br />
the auditor by Auditee or<br />
Competitor.<br />
regardless of the reas<strong>on</strong> for<br />
separati<strong>on</strong><br />
Close<br />
friendships<br />
within the<br />
group<br />
Holding of<br />
significant<br />
amounts of<br />
stocks<br />
Desire to<br />
be hired<br />
Previous or<br />
current close<br />
working<br />
relati<strong>on</strong>ship<br />
Prior involvement<br />
by the auditor in<br />
developing the<br />
quality program<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>flict of Interest Exists<br />
(am<strong>on</strong>g other obvious situati<strong>on</strong>s)<br />
Auditee<br />
Ex-Girl Friend<br />
Auditee<br />
Friend<br />
Yet to be GF<br />
Jack Ma<br />
Daughter<br />
Auditor<br />
Auditee<br />
Ex-Colleague<br />
Previous<br />
employment of the<br />
auditor by Auditee or<br />
Competitor.<br />
Close<br />
friendships<br />
within the<br />
group<br />
Holding of<br />
significant<br />
amounts of<br />
stocks<br />
C<strong>on</strong>flicts<br />
Desire to<br />
be hired<br />
Previous or<br />
current close<br />
working<br />
relati<strong>on</strong>ship<br />
Prior involvement<br />
by the auditor in<br />
developing the<br />
quality program<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
• When a C<strong>on</strong>flict of Interest Exists<br />
When there is an actual or potential c<strong>on</strong>flict of interest with the organizati<strong>on</strong> or people<br />
being audited, the auditor must relay this informati<strong>on</strong> to audit program management<br />
or decline to c<strong>on</strong>duct the audit, whichever is more appropriate.<br />
Acti<strong>on</strong>s that management and the audit team leader can take include:<br />
• Ensuring that sufficient time has passed to eliminate the c<strong>on</strong>flict (?)<br />
• Assigning a different auditor to cover the specific area of c<strong>on</strong>flict<br />
• Removing the auditor or the audit team leader from the team<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
When a C<strong>on</strong>flict<br />
of Interest<br />
Exists<br />
Acti<strong>on</strong>s that management<br />
and the audit team leader<br />
can take include:<br />
• Ensuring that<br />
sufficient time has<br />
passed to eliminate<br />
the c<strong>on</strong>flict.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>fidentiality<br />
With processes, formulas, and equipment being developed by individual companies, the questi<strong>on</strong> of<br />
c<strong>on</strong>fidentiality of proprietary informati<strong>on</strong> has become a major c<strong>on</strong>cern during audits. Businesses could suffer<br />
great financial loss if customers or competitors were to gain access to proprietary processing knowledge,<br />
formulas, and trade secrets.<br />
The auditor must maintain c<strong>on</strong>fidentiality (How the c<strong>on</strong>fidentiality is maintain?), but not to the point of<br />
performing an inadequate audit. Each auditor needs to be prepared to sign agreements or utilize techniques<br />
for working around a proprietary area.<br />
• C<strong>on</strong>fidentiality and Security C<strong>on</strong>cerns<br />
Auditees can use a c<strong>on</strong>fidentiality agreement or a n<strong>on</strong>disclosure agreement to protect<br />
their interests. Both serve the same purpose- to keep proprietary informati<strong>on</strong><br />
within the c<strong>on</strong>trol of the auditee.<br />
• C<strong>on</strong>fidentiality Agreement<br />
An auditor is often expected to sign a c<strong>on</strong>fidentiality or n<strong>on</strong>disclosure agreement<br />
before an audit begins. In general, these agreements require that the auditor not disclose<br />
any proprietary informati<strong>on</strong> gained during the audit. They may be extended<br />
to the auditor’s company, family, assigns, and so <strong>on</strong>, through legal language. Some<br />
c<strong>on</strong>fidentiality agreements that auditees expect the auditor to sign before being<br />
allowed to perform an audit of proprietary areas have become particularly <strong>on</strong>erous<br />
(burdensome, laborious; oppressive;). Often these are written in legal language<br />
and are understandable <strong>on</strong>ly by some<strong>on</strong>e familiar with the legal definiti<strong>on</strong>s<br />
of the words used. Auditors are normally not authorized to obligate their organizati<strong>on</strong>s.<br />
Agreements should c<strong>on</strong>tain a release that takes effect if proprietary informati<strong>on</strong> becomes public.<br />
An auditor should receive the agreement in advance so that it can be reviewed and approved<br />
by the auditing organizati<strong>on</strong>’s legal counsel or designated authority before the auditor signs it.<br />
The auditor must maintain c<strong>on</strong>fidentiality<br />
(How the c<strong>on</strong>fidentiality is maintain?), but<br />
not to the point of performing an<br />
inadequate audit. Each auditor needs to<br />
be prepared to sign agreements or utilize<br />
techniques for working around a<br />
proprietary area.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>fidentiality<br />
Often these are written in legal language and are understandable <strong>on</strong>ly by<br />
some<strong>on</strong>e familiar with the legal definiti<strong>on</strong>s of the words used.<br />
• Auditors are normally not authorized to obligate their organizati<strong>on</strong>s.<br />
• Agreements should c<strong>on</strong>tain a release that takes effect if proprietary<br />
informati<strong>on</strong> becomes public.<br />
• An auditor should receive the agreement in advance so that it can be<br />
reviewed and approved by the auditing organizati<strong>on</strong>’s legal counsel or<br />
designated authority before the auditor signs it.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
IE2-Gossip<br />
An auditor was asked to sign a four- page c<strong>on</strong>fidentiality agreement<br />
before being allowed to perform an audit of a supplier. The agreement<br />
was written in legal language and obligated the auditor, the<br />
auditor’s heirs, the auditor’s assigns, and the auditor’s company to<br />
pay for any damages that might come about if the informati<strong>on</strong> was<br />
obtained by the supplier’s competitors. There was no time frame for<br />
the agreement, so if the informati<strong>on</strong> was disclosed at any time and by<br />
any pers<strong>on</strong>, they were all liable for the damages. The audit organizati<strong>on</strong>’s<br />
attorney advised against signing this agreement, and the audit<br />
team used alternate techniques to determine whether the process was<br />
adequate.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>duct<br />
Discussing proprietary informati<strong>on</strong> with others destroys the integrity of the audit functi<strong>on</strong>. While it is acceptable<br />
for an auditor to discuss actual audit experiences with other auditors, the discussi<strong>on</strong> should be generic so that<br />
the auditee cannot be identified. Proprietary informati<strong>on</strong> should never be divulged (act of revealing) in a sharing<br />
situati<strong>on</strong> with other auditors.<br />
Even body language could disclose proprietary informati<strong>on</strong>. For example, when asked a questi<strong>on</strong> about a<br />
proprietary process, auditors who shrug their shoulders, roll their eyes, or raise their eyebrows could signal the<br />
answer even if no words are spoken.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>duct<br />
Discussing proprietary informati<strong>on</strong> with others destroys<br />
the integrity of the audit functi<strong>on</strong>. While it is acceptable<br />
for an auditor to discuss actual audit experiences with<br />
other auditors, the discussi<strong>on</strong> should be generic so that<br />
the auditee cannot be identified. Proprietary informati<strong>on</strong><br />
should never be divulged (act of revealing) in a sharing<br />
situati<strong>on</strong> with other auditors.<br />
Even body language could disclose proprietary<br />
informati<strong>on</strong>. For example, when asked a questi<strong>on</strong> about<br />
a proprietary process, auditors who shrug their<br />
shoulders, roll their eyes, or raise their eyebrows could<br />
signal the answer even if no words are spoken.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>duct<br />
Discussing proprietary informati<strong>on</strong> with others destroys the<br />
integrity of the audit functi<strong>on</strong>. While it is acceptable for an auditor<br />
to discuss actual audit experiences with other auditors, the<br />
discussi<strong>on</strong> should be generic so that the auditee cannot be<br />
identified. Proprietary informati<strong>on</strong> should never be divulged (act of<br />
revealing) in a sharing situati<strong>on</strong> with other auditors.<br />
Even body language could disclose proprietary informati<strong>on</strong>. For<br />
example, when asked a questi<strong>on</strong> about a proprietary process,<br />
auditors who shrug their shoulders, roll their eyes, or raise their<br />
eyebrows could signal the answer even if no words are spoken.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>duct<br />
For example, when asked a questi<strong>on</strong> about a<br />
proprietary process, auditors who shrug their shoulders,<br />
roll their eyes, or raise their eyebrows could signal the<br />
answer even if no words are spoken.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
C<strong>on</strong>duct<br />
For example, when asked a questi<strong>on</strong> about a proprietary process, auditors who shrug their shoulders, roll their eyes, or raise their eyebrows could<br />
signal the answer even if no words are spoken.<br />
Discussing proprietary informati<strong>on</strong> with others destroys the integrity of the audit functi<strong>on</strong>.<br />
While it is acceptable for an auditor to discuss actual audit experiences with other<br />
auditors, the discussi<strong>on</strong> should be generic so that the auditee cannot be identified.<br />
Proprietary informati<strong>on</strong> should never be divulged (act of revealing) in a sharing situati<strong>on</strong><br />
with other auditors. Even body language could disclose proprietary informati<strong>on</strong>. For<br />
example, when asked a questi<strong>on</strong> about a proprietary process, auditors who shrug their<br />
shoulders, roll their eyes, or raise their eyebrows could signal the answer even if no<br />
words are spoken.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Techniques<br />
Several techniques are available to the auditor to ensure that proprietary informati<strong>on</strong> remains proprietary.<br />
• No Note, Only Memory<br />
When auditing in an undisclosed area (The area could be intellectual or physical area?) , the auditor can rely<br />
<strong>on</strong> memory and not write audit notes. Any notes could become accessible to the public and would be<br />
discoverable in litigati<strong>on</strong>. An auditor can ―audit around‖ an undisclosed area. The auditor needs to be very<br />
flexible to be able to accomplish audit objectives when the auditee erects barriers.<br />
• Check Input<br />
A company may be in the process of getting a patent <strong>on</strong> a new method, for example, and may flatly refuse to<br />
allow the auditor to view a certain porti<strong>on</strong> of that system. In these instances, the auditor must respect the<br />
auditee’s wishes and audit around the undisclosed area. If the inputs going into the undisclosed area appear to<br />
be correct and the outputs are likewise acceptable, then the auditor may assume that the undisclosed process<br />
is doing its job correctly.<br />
• Interview Pers<strong>on</strong>nel Away From Undisclosed Area (physical area?)<br />
Another technique is to remove pers<strong>on</strong>nel from the undisclosed area for interviews.<br />
• <strong>Part</strong>ial Review of Document or Auditee Certify Relevant Document in Place<br />
The auditor can view parts of a document or have the auditee certify it. A company sometimes will refuse to<br />
allow an auditor to look at the procedure for a certain process even though a written procedure is required. To<br />
verify that the procedure exists, the auditor can ask the auditee to certify that the procedure does exist and that<br />
it covers the relevant process. The auditee may allow the auditor to view n<strong>on</strong>-c<strong>on</strong>fidential secti<strong>on</strong>s of the<br />
document. The auditor may never actually view all the details but should do as much as practical to ensure that<br />
a procedure does exist and is approved for use.<br />
Such situati<strong>on</strong>s often resolve themselves <strong>on</strong> subsequent audits involving the same parties. As an auditee<br />
becomes more comfortable with the audit team and places greater trust in the ethics of the team members, the<br />
need to limit access to certain areas often becomes n<strong>on</strong>existent.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Greater Trust In The Ethics Of The Team Members<br />
(Acquaintances?)<br />
Such situati<strong>on</strong>s often resolve themselves <strong>on</strong> subsequent audits involving the same parties. As an auditee<br />
becomes more comfortable with the audit team and places greater trust in the ethics of the team members, the<br />
need to limit access to certain areas often becomes n<strong>on</strong>existent.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Techniques<br />
Several techniques are available to the auditor to ensure that proprietary informati<strong>on</strong> remains proprietary.<br />
• No Note, Only Memory<br />
When auditing in an undisclosed area (The area could be intellectual or physical area?), the auditor can rely <strong>on</strong><br />
memory and not write audit notes. Any notes could become accessible to the public and would be discoverable<br />
in litigati<strong>on</strong>. An auditor can ―audit around‖ an undisclosed area. The auditor needs to be very flexible to be able<br />
to accomplish audit objectives when the auditee erects barriers.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Security<br />
Companies in certain highly sensitive industries, such as<br />
those involved in nati<strong>on</strong>al defense, may require that<br />
auditors have or obtain security clearances. This<br />
requirement should be determined well in advance of the<br />
audit to permit sufficient time for processing the request.<br />
Without the proper security clearance, an auditor may be<br />
restricted from certain areas of a company.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Security<br />
Companies in certain highly<br />
sensitive industries, such as those<br />
involved in nati<strong>on</strong>al defense, may<br />
require that auditors have or obtain<br />
security clearances. This<br />
requirement should be determined<br />
well in advance of the audit to<br />
permit sufficient time for processing<br />
the request. Without the proper<br />
security clearance, an auditor may<br />
be restricted from certain areas of a<br />
company.<br />
Our business<br />
is life itself<br />
孙 红 雷<br />
HL.Sun<br />
https://www.thenewec<strong>on</strong>omy.com/business/chinese-merger-set-to-create-worlds-sec<strong>on</strong>d-largest-steelmaker<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Security<br />
Companies in certain highly sensitive industries, such as those involved in<br />
nati<strong>on</strong>al defense, may require that auditors have or obtain security<br />
clearances. This requirement should be determined well in advance of the<br />
audit to permit sufficient time for processing the request. Without the proper<br />
security clearance, an auditor may be restricted from certain areas of a<br />
company.<br />
https://www.thenewec<strong>on</strong>omy.com/business/chinese-merger-set-to-create-worlds-sec<strong>on</strong>d-largest-steelmaker<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Trust<br />
The auditee must be c<strong>on</strong>fident that the auditor will<br />
c<strong>on</strong>duct the audit professi<strong>on</strong>ally and that the auditor<br />
possesses the integrity and technical knowledge to<br />
successfully complete the audit. Auditors are expected to<br />
exercise due care while performing their activities. This<br />
means that an auditor should be sufficiently competent to<br />
arrive at c<strong>on</strong>clusi<strong>on</strong>s similar to those that another auditor<br />
would reach in the same or similar circumstances. Since<br />
an audit <strong>on</strong>ly samples a particular product, process, or<br />
system at a particular point in time, an auditor cannot be<br />
held resp<strong>on</strong>sible if an audit fails to recognize all<br />
deficiencies or irregularities in a system, as l<strong>on</strong>g as that<br />
auditor has used:<br />
• theoretically sound sampling techniques,<br />
• has complied with applicable standards, and<br />
• has adhered to the code of ethics.<br />
In additi<strong>on</strong> to the usual resp<strong>on</strong>sibilities, an auditor may<br />
need to address difficult situati<strong>on</strong>s that require careful<br />
handling for successful resoluti<strong>on</strong>. Possible c<strong>on</strong>flicts of<br />
interest should be recognized and rec<strong>on</strong>ciled before an<br />
audit begins.<br />
The detecti<strong>on</strong> of unsafe, unethical, or even illegal<br />
practices during an audit may rapidly change the planned<br />
course of the audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Trust<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Trust<br />
The detecti<strong>on</strong> of unsafe,<br />
unethical, or even illegal<br />
practices during an audit<br />
may rapidly change the<br />
planned course of the<br />
audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
IE1-Gossip<br />
One way to work through the lack of a security clearance is to be<br />
c<strong>on</strong>stantly escorted, with classified areas, equipment, and activities<br />
shielded from view. This way, the auditor can evaluate part of the<br />
process and interview the people <strong>on</strong> the line.<br />
Some products may<br />
be adversely impacted by the presence of auditors<br />
or by the auditor’s health. For example, some pharmaceutical<br />
products may be sensitive to people with certain medical c<strong>on</strong>diti<strong>on</strong>s.<br />
Medical tests may need to be performed and results evaluated<br />
before the auditor is permitted to enter the processing facility. Wearing<br />
appropriate pers<strong>on</strong>al protective equipment such as gowning to<br />
limit human exposure may be sufficient to protect the product from<br />
humans.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
IE1-Gossip<br />
Some products may be adversely impacted by the<br />
presence of auditors or by the auditor’s health. For<br />
example, some pharmaceutical products may be<br />
sensitive to people with certain medical c<strong>on</strong>diti<strong>on</strong>s.<br />
Medical tests may need to be performed and<br />
results evaluated before the auditor is permitted to<br />
enter the processing facility. Wearing appropriate<br />
pers<strong>on</strong>al protective equipment such as gowning<br />
to limit human exposure may be sufficient to protect<br />
the product from humans.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
IE1-Gossip<br />
Some products may be adversely impacted by the<br />
presence of auditors or by the auditor’s health. For<br />
example, some pharmaceutical products may be<br />
sensitive to people with certain medical c<strong>on</strong>diti<strong>on</strong>s.<br />
Medical tests may need to be performed and<br />
results evaluated before the auditor is permitted to<br />
enter the processing facility. Wearing appropriate<br />
pers<strong>on</strong>al protective equipment such as gowning<br />
to limit human exposure may be sufficient to protect<br />
the product from humans.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Discovery Of Illegal Or Unsafe C<strong>on</strong>diti<strong>on</strong>s Or Activities<br />
Auditors are in a unique positi<strong>on</strong> to observe illegal or unsafe c<strong>on</strong>diti<strong>on</strong>s during the course of an audit because<br />
of their access to almost any area necessary for successful completi<strong>on</strong> of the audit. Auditors must know what to<br />
do when these activities are observed.<br />
When Unsafe Activities Are Observed<br />
In some industries, an auditor may need to access potentially hazardous areas in a company during the course<br />
of an audit. Auditors are usually provided with pers<strong>on</strong>al protective equipment such as goggles or hard hats.<br />
Normally, auditors face no physical danger as l<strong>on</strong>g as regulati<strong>on</strong>s are enforced and the process is functi<strong>on</strong>ing<br />
properly. Sometimes, however, negligence or inexperience <strong>on</strong> the part of the auditee’s employees, a deficiency<br />
or malfuncti<strong>on</strong> of equipment or a process, or a combinati<strong>on</strong> of these may result in potentially dangerous<br />
situati<strong>on</strong>s. When an unsafe practice (such as open c<strong>on</strong>tainers of hazardous chemicals near work areas,<br />
release of c<strong>on</strong>trolled chemicals, or flammable materials near a welding stati<strong>on</strong>) is observed, whether within or<br />
outside the scope of an audit, an auditor must not ignore it.<br />
• In an internal audit, an auditor should immediately inform an auditee representative and the audit team<br />
leader, who will inform the auditee manager so that the problem can be resolved.<br />
• In an external audit (sec<strong>on</strong>d or third- party audit), the auditor must immediately inform the auditee and<br />
create a record of the situati<strong>on</strong>. (and inform the audit team leader?)<br />
If any<strong>on</strong>e <strong>on</strong> the audit team is endangered, the audit must be stopped and the auditors returned to a safe area.<br />
In most situati<strong>on</strong>s, management welcomes informati<strong>on</strong> about liability risks or other potential dangers.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
When an unsafe practice is observed (Internal Audit)<br />
When an unsafe practice is observed (such as open c<strong>on</strong>tainers of hazardous chemicals near work areas,<br />
release of c<strong>on</strong>trolled chemicals, or flammable materials near a welding stati<strong>on</strong>), whether within or outside the<br />
scope of an audit, an auditor must not ignore it.<br />
• In an internal audit, an auditor should immediately inform an auditee representative and the audit team<br />
leader, who will inform the auditee manager so that the problem can be resolved.<br />
Unsafe Act Observed by<br />
Auditor<br />
Inform Auditee<br />
Representative<br />
(Coordinator?)<br />
Inform Auditor Team<br />
Leader<br />
Inform<br />
Program Manager<br />
Problem Resolved<br />
(Safety situati<strong>on</strong> or<br />
audit interrupti<strong>on</strong>?)<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
When an unsafe practice is observed (External Audit)<br />
When an unsafe practice is observed (such as open c<strong>on</strong>tainers of hazardous chemicals near work areas,<br />
release of c<strong>on</strong>trolled chemicals, or flammable materials near a welding stati<strong>on</strong>), whether within or outside the<br />
scope of an audit, an auditor must not ignore it.<br />
• In an external audit (sec<strong>on</strong>d or third- party audit), the auditor must immediately inform the auditee and<br />
create a record of the situati<strong>on</strong>. (and inform the auditor team leader?)<br />
Problem Resolved<br />
Unsafe Act Observed by<br />
Auditor<br />
Inform Auditee<br />
Representative<br />
(Coordinator?)<br />
Inform Auditor Team<br />
Leader?<br />
Inform<br />
Program Manager?<br />
create a record of the<br />
situati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
When Illegal or Unethical Activities Are Detected<br />
An auditor finding evidence of wr<strong>on</strong>gdoing, whether within or outside the scope of an audit assignment, has an<br />
ethical duty to bring the matter to the attenti<strong>on</strong> of the client and appropriate management for acti<strong>on</strong>. The auditor<br />
should keep a record of such matters, safeguard the evidence, and obtain copies of pertinent documents and<br />
records (if necessary). The auditor must be aware of and apply the ethics of the professi<strong>on</strong> and the law in this<br />
regard. An auditor may ask the client about the company’s ethics policy and ethics department prior to<br />
accepting the audit. If an ethics department exists, it may be a valuable resource if potentially unethical<br />
situati<strong>on</strong>s surface before, during, or after an audit.<br />
Management will take appropriate acti<strong>on</strong> <strong>on</strong> illegal or unethical activities within the company. This may involve<br />
legal acti<strong>on</strong> of some type and the involvement of the auditor. Auditors should be aware of their legal<br />
resp<strong>on</strong>sibilities and rights under the law, including whistle- blower laws.<br />
If management sp<strong>on</strong>sors allegedly illegal activities, either internally or externally, the auditor’s employment may<br />
be threatened. An auditor should have access to legal counsel to resolve questi<strong>on</strong>able issues. Often that legal<br />
counsel is best if it comes from outside the company. The U.S. C<strong>on</strong>gress and various states have passed laws<br />
protecting people who report incidents of wr<strong>on</strong>gdoing, including waste, fraud, and abuse (see a list of these<br />
laws at http://www.ncsl.org/issues-research/labor/state-whistleblower-laws.aspx ). These whistle- blower<br />
statutes (see Figure 5.3 for examples) protect auditors and others. Questi<strong>on</strong>s about specific laws should be<br />
directed to the appropriate federal, state, or local authorities (see Figure 5.4 for an example of a local<br />
regulati<strong>on</strong>). Please note that Figures 5.3 and 5.4 are provided as examples and may be dated. An auditor faced<br />
with a potential whistle- blower situati<strong>on</strong> should seek the latest informati<strong>on</strong> available. It is sufficient to say that<br />
whistle- blowers have some protecti<strong>on</strong> under both federal and some state laws; however, the amount of<br />
protecti<strong>on</strong> and how it is applied depend <strong>on</strong> each situati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
whistle- blower laws.<br />
A whistleblower (also written as whistle-blower or whistle blower) is<br />
a pers<strong>on</strong> who exposes any kind of informati<strong>on</strong> or activity that is<br />
deemed illegal, unethical, or not correct within an organizati<strong>on</strong> that<br />
is either private or public. The informati<strong>on</strong> of alleged wr<strong>on</strong>gdoing<br />
can be classified in many ways: violati<strong>on</strong> of company policy/rules,<br />
law, regulati<strong>on</strong>, or threat to public interest/nati<strong>on</strong>al security, as well<br />
as fraud, and corrupti<strong>on</strong>.[3] Those who become whistleblowers can<br />
choose to bring informati<strong>on</strong> or allegati<strong>on</strong>s to surface either internally<br />
or externally. Internally, a whistleblower can bring his/her<br />
accusati<strong>on</strong>s to the attenti<strong>on</strong> of other people within the accused<br />
organizati<strong>on</strong> such as an immediate supervisor. Externally, a<br />
whistleblower can bring allegati<strong>on</strong>s to light by c<strong>on</strong>tacting a third<br />
party outside of an accused organizati<strong>on</strong> such as the media,<br />
government, law enforcement, or those who are c<strong>on</strong>cerned.<br />
Whistleblowers, however, take the risk of facing stiff reprisal and<br />
retaliati<strong>on</strong> from those who are accused or alleged of wr<strong>on</strong>gdoing.<br />
Because of this, a number of laws exist to protect whistleblowers.<br />
Some third party groups even offer protecti<strong>on</strong> to whistleblowers, but<br />
that protecti<strong>on</strong> can <strong>on</strong>ly go so far. Whistleblowers face legal acti<strong>on</strong>,<br />
criminal charges, social stigma, and terminati<strong>on</strong> from any positi<strong>on</strong>,<br />
office, or job. Two other classificati<strong>on</strong>s of whistleblowing are private<br />
and public. The classificati<strong>on</strong>s relate to the type of organizati<strong>on</strong>s<br />
some<strong>on</strong>e chooses to whistle-blow <strong>on</strong>: private sector, or public<br />
sector. Depending <strong>on</strong> many factors, both can have varying results.<br />
However, whistleblowing in the public sector organizati<strong>on</strong> is more<br />
likely to result in criminal charges and possible custodial sentences.<br />
A whistleblower who chooses to accuse a private sector<br />
organizati<strong>on</strong> or agency is more likely to face terminati<strong>on</strong> and legal<br />
and civil charges.<br />
https://en.wikipedia.org/wiki/Whistleblower<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
An auditor may encounter illegal or unethical situati<strong>on</strong>s during the course of an audit, such as:<br />
• when an auditee is knowingly shipping defective products,<br />
• exposing pers<strong>on</strong>nel to unsafe c<strong>on</strong>diti<strong>on</strong>s or<br />
• dumping waste.<br />
The auditor should verify the situati<strong>on</strong> and then inform the audit team leader, who will inform the auditee.<br />
If the problem is caused by an oversight, it should be corrected immediately.<br />
Internal Audit<br />
• However, an auditee who knowingly ships a defective product, bypasses safety rules, or allows<br />
unauthorized discharges of polluti<strong>on</strong> may be unwilling to correct the problem. In this case, the auditing<br />
organizati<strong>on</strong> should refuse to return to that company or internal group.<br />
Third-<strong>Part</strong>y Audit<br />
• If a third- party audit is being performed, the auditor should immediately report the situati<strong>on</strong> to the client.<br />
External Supplier Audit<br />
If the auditee is a supplier,<br />
• the auditing organizati<strong>on</strong> may delay or stop shipments (if given the authority to do so) until the appropriate<br />
management functi<strong>on</strong> can resolve the issue.<br />
• The auditing organizati<strong>on</strong> may advise its management to cancel any existing c<strong>on</strong>tracts or agreements and<br />
find more reputable and socially resp<strong>on</strong>sible sources for the item or service.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
An auditor may encounter illegal or unethical situati<strong>on</strong>s<br />
during the course of an audit, such as:<br />
• when an auditee is knowingly shipping defective<br />
products,<br />
• exposing pers<strong>on</strong>nel to unsafe c<strong>on</strong>diti<strong>on</strong>s or<br />
• dumping waste.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
An auditor may encounter illegal<br />
or unethical situati<strong>on</strong>s during the<br />
course of an audit, such as:<br />
• Human Organs Trafficking?.<br />
https://bigthink.com/philip-perry/what-you-need-to-know-about-human-organ-trafficking<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
An auditor may encounter illegal<br />
or unethical situati<strong>on</strong>s during the<br />
course of an audit, such as:<br />
• Human Organs Trafficking?.<br />
https://bigthink.com/philip-perry/what-you-need-to-know-about-human-organ-trafficking<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
An auditor who detects illegal or unethical activities within the auditing organizati<strong>on</strong> must tell the audit team<br />
leader, who will inform the manager. If the same or similar illegal or unethical activities recur often, the auditor’s<br />
principles are probably not compatible with those of the organizati<strong>on</strong>, and new employment should be<br />
c<strong>on</strong>sidered.<br />
Unethical activity that is in violati<strong>on</strong> of internal company policy should be reported directly to management,<br />
whether it is unethical behavior of another employee, a customer, or a supplier. Illegal or unethical behavior <strong>on</strong><br />
the part of an <strong>ASQ</strong> member that violates the <strong>ASQ</strong> code of ethics should be reported to the <strong>ASQ</strong> Ethics<br />
Committee at ethics@asq.org.<br />
Although not comm<strong>on</strong>place, bribery is another example of an illegal or unethical<br />
situati<strong>on</strong> that an auditor may encounter. An auditor encountering obvious<br />
bribery should flatly refuse the offer and stop the audit. The client and auditing<br />
organizati<strong>on</strong> management must be alerted and give the matter immediate<br />
attenti<strong>on</strong>. Gift- giving could be a less obvious form of bribery. Many public<br />
agencies and private companies have specific regulati<strong>on</strong>s and policies <strong>on</strong><br />
ethical behavior. For example, a limited dollar amount may be specified for gifts<br />
that the auditor may ethically accept. An auditor has an obligati<strong>on</strong> to refuse or<br />
return any gift that exceeds the stated amount, al<strong>on</strong>g with the opti<strong>on</strong> of<br />
refusing any item. Many auditors will accept an offer of an inexpensive meal<br />
since they feel that both parties benefit from the rapport established in a casual<br />
setting, while others will refuse even the offer of a soft drink.<br />
Meaning: Rapport<br />
a close and harm<strong>on</strong>ious relati<strong>on</strong>ship in which the people or groups c<strong>on</strong>cerned<br />
understand each other's feelings or ideas and communicate well.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
C<strong>on</strong>sidering New<br />
Employment.<br />
An auditor who detects illegal or unethical<br />
activities within the auditing organizati<strong>on</strong><br />
must tell the audit team leader, who will<br />
inform the manager. If the same or similar<br />
illegal or unethical activities recur often, the<br />
auditor’s principles are probably not<br />
compatible with those of the organizati<strong>on</strong>,<br />
and new employment should be c<strong>on</strong>sidered.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Gifts and Meals<br />
An auditor has an obligati<strong>on</strong> to refuse or return any gift that exceeds the stated<br />
amount, al<strong>on</strong>g with the opti<strong>on</strong> of refusing any item. Many auditors will accept<br />
an offer of an inexpensive meal since they feel that both parties benefit from the<br />
rapport established in a casual setting, while others will refuse even the offer of<br />
a soft drink.<br />
.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE1-Gossip<br />
One example of an unethical practice was noted during a supplier<br />
audit. A check of the material certificati<strong>on</strong> provided by the supplier<br />
revealed some similarities to another certificati<strong>on</strong> received from<br />
another supplier. The certificates were identical, including the names<br />
of the people and the dates signed, except that the supplier’s logo<br />
and name were now at the top. Further investigati<strong>on</strong> found that the<br />
supplier simply pasted its logo and name over the logo and name of<br />
another company, made a copy, and sent it out as its own material<br />
certificati<strong>on</strong>. The company was caught <strong>on</strong>ly because the auditor had<br />
seen both certificati<strong>on</strong>s.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE1-Gossip<br />
An auditor reported that <strong>on</strong>e of the most blatantly unethical activities<br />
he observed was by a supplier who knowingly shipped empty<br />
outer casings for a particular device. The casing had a sticker over<br />
the edge stating, ―Warranty void if sticker broken.‖ The sticker would<br />
be broken if the customer opened the casing to look inside. After<br />
verifying what he had discovered, he discussed the situati<strong>on</strong> with the<br />
audit manager, who in turn discussed it with auditee management.<br />
The auditor’s company ended up pulling its order from the supplier.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE1-Gossip<br />
During the course of an audit, an auditor happened to menti<strong>on</strong> that<br />
she was an avid tennis player. Several weeks later she received a case<br />
of tennis balls from the auditee. She wrote a polite note and sent it to<br />
the auditee, al<strong>on</strong>g with the case of tennis balls.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Social and Cultural C<strong>on</strong>siderati<strong>on</strong>s<br />
In the internati<strong>on</strong>al auditing arena, an auditor must be familiar with local customs so that potentially unethical<br />
situati<strong>on</strong>s can be interpreted correctly and resp<strong>on</strong>ded to appropriately.<br />
For example, in the United States it is c<strong>on</strong>sidered a breach of ethics for an auditor to accept a gift or favor from<br />
a pers<strong>on</strong> in the audited organizati<strong>on</strong>. The custom in Japan is that gifts are given to visitors from foreign<br />
countries as a sign of friendship or as a memento of their visit to the factory. However, accepting gifts is not<br />
permitted for auditors.<br />
Government auditors in Japan are strictly prohibited from accepting any gift or meal. Some companies allow<br />
acceptance of gifts to avoid offending the auditee but require the pers<strong>on</strong> to turn in the gift (for possible d<strong>on</strong>ati<strong>on</strong><br />
to a charity).<br />
As quality auditing becomes increasingly global, organizati<strong>on</strong>s and individuals must be aware of such<br />
differences to prevent serious cultural misunderstandings from undermining the audit process. The need to be<br />
familiar with different cultures and norms is not limited to internati<strong>on</strong>al auditing. Auditors should also be aware<br />
of cultural differences and expectati<strong>on</strong>s in each individual workplace where the audit is being c<strong>on</strong>ducted. The<br />
auditor’s awareness and willingness to work with different cultures will help avoid misunderstandings and<br />
ensure the effectiveness of the audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Overcoming Language And Literacy Barriers<br />
Audit pers<strong>on</strong>nel must either be fluent in the language in which the audit is to be c<strong>on</strong>ducted or have the support<br />
of a technical expert with the necessary technical language skills. When necessary, the auditing organizati<strong>on</strong><br />
should employ a skilled interpreter to assist with the audit. Even if all primary participants in an audit speak the<br />
same language, the auditor may encounter language or literacy barriers when attempting to interview individual<br />
employees. These same barriers may prevent the employee from understanding or performing assigned tasks.<br />
A written procedure may solve the problem, but if the employees are unable to read or understand the<br />
procedure, then the problem has not been addressed.<br />
If an auditor understands the physical process before going into an audit and then focuses <strong>on</strong> the work, some<br />
of the literacy issues may be overcome with:<br />
• the aid of flowcharts and (for auditor or employee?)<br />
• other simple diagrams. (for auditor or employee?)<br />
At times, an auditor may need to ask extremely simple questi<strong>on</strong>s to overcome a lack of language skills. If it is<br />
necessary for pers<strong>on</strong>nel to be able to follow procedures and complete records to perform their job and they are<br />
not able to do so, they may not be competent. Competency issues may lead an auditor to determine how<br />
pers<strong>on</strong>nel were trained and competency needs addressed.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE1-Gossip<br />
One technique that can be used when the auditor does not speak<br />
the language of the auditee is for the auditor to observe the process,<br />
take detailed notes, and then have some<strong>on</strong>e in the audit room walk<br />
the auditor through the related procedure (even if it is in the native<br />
language) so that he or she can compare it with his or her notes. This<br />
practice can highlight issues with following the written procedure.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE1-Gossip<br />
An auditor was shown documented instructi<strong>on</strong>s that were available<br />
to guide the operators in their work. The instructi<strong>on</strong>s were<br />
written in English. However, the auditor noticed that a number of<br />
the operators were unable to read or speak English, and no translated<br />
instructi<strong>on</strong>s were available for this porti<strong>on</strong> of the workforce.<br />
Were the n<strong>on</strong>- English-speaking operators more competent than the<br />
English- speaking operators, and therefore instructi<strong>on</strong>s were unnecessary?<br />
Or, did the instructi<strong>on</strong>s include pictures and diagrams to<br />
overcome the language barrier? Literacy questi<strong>on</strong>s or understanding<br />
documentati<strong>on</strong> in another language can be very sensitive issues. The<br />
auditor should be very cautious in phrasing questi<strong>on</strong>s <strong>on</strong> these topics.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
Avoiding Internal C<strong>on</strong>flict- Of-interest Problems<br />
Selecting an auditor from within an organizati<strong>on</strong> (for a first- party audit) can cause problems, especially in the<br />
case of a <strong>on</strong>e- site operati<strong>on</strong>. The objectivity of an auditor working in an area of previous employment may be<br />
questi<strong>on</strong>ed. Former peers may be intimidated or uncooperative, or they may use the auditor as a sounding<br />
board for complaints, making it difficult for the auditor to obtain objective informati<strong>on</strong>. They also may think that<br />
the auditor will not report procedural violati<strong>on</strong>s. Furthermore, the auditor’s knowledge of how a product, process,<br />
or system functi<strong>on</strong>s may be outdated, and time may be wasted as the auditor follows the wr<strong>on</strong>g path using<br />
incorrect criteria. Ideally, an auditor will not be assigned to audit an area of previous employment. For internal<br />
audits, though, such assignments cannot always be avoided, especially for small organizati<strong>on</strong>s. The negative<br />
effects must be weighed against the benefits that selecting an auditor from within the organizati<strong>on</strong> may offer.<br />
Such benefits may include a superior understanding of the organizati<strong>on</strong>’s product or service and the processes<br />
involved in producti<strong>on</strong>, al<strong>on</strong>g with a str<strong>on</strong>g familiarity with the applicable quality requirements or standards.<br />
Negative effects may include hidden agendas, perceived bias <strong>on</strong> the part of the auditee, and the possibility that<br />
the auditor will try to solve problems using past knowledge rather than auditing the current system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE1<br />
• Remedial Acti<strong>on</strong>/ C<strong>on</strong>tainment Acti<strong>on</strong>/ Correcti<strong>on</strong><br />
During an audit, some auditees will request to be notified of n<strong>on</strong>c<strong>on</strong>formances so that they can<br />
take immediate acti<strong>on</strong>. In many cases, immediate acti<strong>on</strong> would be remedial acti<strong>on</strong> (also called<br />
c<strong>on</strong>tainment acti<strong>on</strong> or correcti<strong>on</strong>) and not corrective acti<strong>on</strong>.<br />
Remedial acti<strong>on</strong> addresses <strong>on</strong>ly the symptom and does not eliminate the underlying cause of the<br />
problem as corrective acti<strong>on</strong> would.<br />
The auditor may discuss with the auditee the pitfalls of taking <strong>on</strong>ly remedial acti<strong>on</strong>. The auditor<br />
should also explain that even though remedial acti<strong>on</strong> was taken, it would be unethical not to<br />
include the observed n<strong>on</strong>c<strong>on</strong>formance in the final report.<br />
• Maintaining Audit C<strong>on</strong>fidence<br />
Besides acting professi<strong>on</strong>ally at all times, the auditor must maintain the c<strong>on</strong>fidence of the auditing<br />
organizati<strong>on</strong>:<br />
• by never divulging proprietary informati<strong>on</strong> to the auditee,<br />
• by refraining from speaking negatively about the auditing organizati<strong>on</strong> or previous auditees, and<br />
• by refraining from discussing the performance of previous auditees with people in the<br />
organizati<strong>on</strong> currently being audited.<br />
When facing <strong>on</strong>e of these problems or other more difficult <strong>on</strong>es, the auditor must remain focused<br />
and in c<strong>on</strong>trol of the audit process.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
IE2. Legal C<strong>on</strong>sequences<br />
Pers<strong>on</strong>al and Corporate Liability<br />
This handbook is not a primer <strong>on</strong> law as applied to auditing and should not be c<strong>on</strong>sidered a source of legal<br />
advice. If questi<strong>on</strong>s arise, auditors must c<strong>on</strong>sult their own lawyers for informati<strong>on</strong>. Liability issues have become<br />
more apparent with the advent of the quality management system (QMS) and envir<strong>on</strong>mental management<br />
system (EMS) registrati<strong>on</strong>/certificati<strong>on</strong> programs. Each company and each auditor accepts liability for the<br />
decisi<strong>on</strong>s made regarding whether to grant registrati<strong>on</strong>/certificati<strong>on</strong>. There are appeal processes, but in the end,<br />
a court of law could be called in for the final decisi<strong>on</strong>. A key liability c<strong>on</strong>siderati<strong>on</strong> is whether a company relies<br />
<strong>on</strong> audit informati<strong>on</strong> as the basis for making a decisi<strong>on</strong>.<br />
Illegal Activities<br />
As an auditor collects informati<strong>on</strong> throughout the audit process, the auditee may disclose certain kinds of<br />
informati<strong>on</strong>. This informati<strong>on</strong> can lead to illegal activities by the auditor, unless the auditor is aware that the use<br />
of this informati<strong>on</strong> is illegal. Figure 5.5 provides a general explanati<strong>on</strong> of each type of informati<strong>on</strong> and the illegal<br />
activity that the auditor can inadvertently engage in.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Figure 5.5 Illegal auditor activities.<br />
Source: <strong>ASQ</strong>’s Foundati<strong>on</strong>s in Quality: Certified Quality Auditor, Module 1: Ethics, Professi<strong>on</strong>al C<strong>on</strong>duct, and Liability Issues (Milwaukee, WI: <strong>ASQ</strong> Quality<br />
Press, 1998), pp. 1–16.<br />
Liability Explanati<strong>on</strong> Auditor example<br />
Violati<strong>on</strong> of securities laws<br />
If some<strong>on</strong>e learns informati<strong>on</strong> that is important to<br />
investors but not available to the public and proceeds to<br />
act <strong>on</strong> it or tells some<strong>on</strong>e who then acts <strong>on</strong> it, it is a<br />
violati<strong>on</strong> of securities laws.<br />
During an audit interview, a senior manager accidentally reveals<br />
acquisiti<strong>on</strong> plans to an auditor. The auditor uses the informati<strong>on</strong><br />
to make pers<strong>on</strong>al investments in the stock market.<br />
What is Securities Law?<br />
Securities law represents the multiple federal laws and regulati<strong>on</strong>s that govern the sale, purchase, and creati<strong>on</strong> of security interests. These rules derive from a<br />
simple and straightforward c<strong>on</strong>cept: all investors, whether large instituti<strong>on</strong>s or private individuals, should have access to certain basic facts about an investment<br />
prior to buying it. Only through the steady flow of timely, comprehensive and accurate informati<strong>on</strong> can people make sound investment decisi<strong>on</strong>s.<br />
Securities Law Violati<strong>on</strong>s<br />
Each year the SEC brings between 400-500 civil enforcement acti<strong>on</strong>s against individuals and companies that break the securities laws. Typical infracti<strong>on</strong>s<br />
include insider trading, accounting fraud, and providing false or misleading informati<strong>on</strong> about securities and the companies that issue them. Securities law<br />
violati<strong>on</strong>s are also serious criminal infracti<strong>on</strong>s that can result into both incarcerati<strong>on</strong> (impris<strong>on</strong>ment) and substantial fines.<br />
Insider Trading<br />
Insider trading refers to transacti<strong>on</strong>s in securities of publicly held corporati<strong>on</strong>s by pers<strong>on</strong>s with inside or advance informati<strong>on</strong> <strong>on</strong> which the trading is based.<br />
Usually, the trader is an "insider" with an employment or other relati<strong>on</strong>ship of trust with the corporati<strong>on</strong>. For example, if an employee of a corporati<strong>on</strong> learns that<br />
her company will enter a merger agreement with a rival competitor, and with this knowledge purchases shares of stock with the expectati<strong>on</strong> that the value will<br />
increase after the merger agreement becomes public knowledge, the employee is abusing her insider status and has engaged in insider trading.<br />
https://www.legalmatch.com/law-library/article/securities-law.html<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Figure 5.5 Illegal auditor activities.<br />
Source: <strong>ASQ</strong>’s Foundati<strong>on</strong>s in Quality: Certified Quality Auditor, Module 1: Ethics, Professi<strong>on</strong>al C<strong>on</strong>duct, and Liability Issues (Milwaukee, WI: <strong>ASQ</strong> Quality<br />
Press, 1998), pp. 1–16.<br />
Liability Explanati<strong>on</strong> Auditor example<br />
Violati<strong>on</strong> of antitrust laws<br />
反 垄 断<br />
(Who violate the antitrust law?<br />
The competitor?)<br />
If some<strong>on</strong>e learns informati<strong>on</strong> and uses it to restrict<br />
competiti<strong>on</strong> in a particular market, it is a violati<strong>on</strong> of<br />
antitrust laws.<br />
An auditor comments to the auditee that another supplier with<br />
the same quality system realizes far fewer gains. The auditee<br />
uses the informati<strong>on</strong> to produce negative advertisements<br />
against the supplier.<br />
United States antitrust law is a collecti<strong>on</strong> of federal and state government laws that regulates the c<strong>on</strong>duct and organizati<strong>on</strong> of business corporati<strong>on</strong>s, generally<br />
to promote fair competiti<strong>on</strong> for the benefit of c<strong>on</strong>sumers. (The c<strong>on</strong>cept is called competiti<strong>on</strong> law in other English-speaking countries.) The main statutes are the<br />
Sherman Act of 1890, the Clayt<strong>on</strong> Act of 1914 and the Federal Trade Commissi<strong>on</strong> Act of 1914. These Acts, first, restrict the formati<strong>on</strong> of cartels and prohibit<br />
other collusive practices regarded as being in restraint of trade. Sec<strong>on</strong>d, they restrict the mergers and acquisiti<strong>on</strong>s of organizati<strong>on</strong>s that could substantially<br />
lessen competiti<strong>on</strong>. Third, they prohibit the creati<strong>on</strong> of a m<strong>on</strong>opoly and the abuse of m<strong>on</strong>opoly power.[1]<br />
The Federal Trade Commissi<strong>on</strong>, the U.S. Department of Justice, state governments and private parties who are sufficiently affected may all bring acti<strong>on</strong>s in the<br />
courts to enforce the antitrust laws. The scope of antitrust laws, and the degree to which they should interfere in an enterprise's freedom to c<strong>on</strong>duct business,<br />
or to protect smaller businesses, communities and c<strong>on</strong>sumers, are str<strong>on</strong>gly debated. One view, mostly closely associated with the "Chicago School of<br />
ec<strong>on</strong>omics" suggests that antitrust laws should focus solely <strong>on</strong> the benefits to c<strong>on</strong>sumers and overall efficiency, while a broad range of legal and ec<strong>on</strong>omic<br />
theory sees the role of antitrust laws as also c<strong>on</strong>trolling ec<strong>on</strong>omic power in the public interest.<br />
https://en.wikipedia.org/wiki/United_States_antitrust_law<br />
Definiti<strong>on</strong> of Sherman Antitrust Act<br />
Noun: A federal statute that prohibits companies from engaging in unfair business practices.<br />
https://legaldicti<strong>on</strong>ary.net/sherman-antitrust-act/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Figure 5.5 Illegal auditor activities.<br />
Source: <strong>ASQ</strong>’s Foundati<strong>on</strong>s in Quality: Certified Quality Auditor, Module 1: Ethics, Professi<strong>on</strong>al C<strong>on</strong>duct, and Liability Issues (Milwaukee, WI: <strong>ASQ</strong> Quality<br />
Press, 1998), pp. 1–16.<br />
Liability Explanati<strong>on</strong> Auditor example<br />
Violati<strong>on</strong> of due care<br />
If some<strong>on</strong>e fails to exercise reas<strong>on</strong>able care or<br />
competency in the course of providing guidance for<br />
others in their business transacti<strong>on</strong>s, it is a violati<strong>on</strong> of<br />
due care.<br />
An auditor grants a supplier ISO 9001 certificati<strong>on</strong> despite the<br />
audit team’s failure to follow correct accrediting<br />
procedure (not exercising due care) during the audit. Based <strong>on</strong><br />
the certificati<strong>on</strong>, a company purchases faulty<br />
product from the supplier for commercial<br />
distributi<strong>on</strong>.<br />
Due care is a level of resp<strong>on</strong>sibility that a pers<strong>on</strong> in a particular situati<strong>on</strong> is expected to practice. For example, due care is practiced when a pers<strong>on</strong> drives his<br />
car safely. He is expected to adhere to the rules of the road so as to prevent injury to himself and to others. When he makes it from point A to point B, while<br />
following all of the rules that are expected of him, he has practiced due care in operating his vehicle. In law, determining some<strong>on</strong>e’s due care is determining to<br />
what extent, if any, he was negligent in the situati<strong>on</strong> at hand.<br />
https://legaldicti<strong>on</strong>ary.net/due-care/<br />
Aiding and abetting (encourage<br />
or help some<strong>on</strong>e to do<br />
something (especially<br />
something illegal))<br />
If some<strong>on</strong>e willfully causes an act to be d<strong>on</strong>e and the<br />
same act would be an offense against the United States<br />
if directly performed by him or her, it c<strong>on</strong>stitutes aiding<br />
and abetting.<br />
An auditor discovers that an auditee is using materials against<br />
c<strong>on</strong>tractual requirements but does not include the informati<strong>on</strong> in<br />
the final audit report.<br />
Definiti<strong>on</strong> of Aiding and Abetting<br />
Noun: The act of helping, encouraging, or supporting some<strong>on</strong>e in the commissi<strong>on</strong> of a crime.<br />
Verb: To actively encourage, to assist, or to support the commissi<strong>on</strong> of a criminal act.<br />
Example of Aiding and Abetting<br />
When Della’s boyfriend Rob, and his friend Steve, begin holding ―private‖ meetings in the couple’s basement, she knows something is up. A few weeks later,<br />
Rob comes home in a rush, hauling a couple of heavy bags down the basement steps. Worried, Della follows him down, to see a huge amount of cash in the<br />
bags, as Rob worked frantically to stuff it all into a hole in the wall behind the heating unit. Deciding she doesn’t want to know, Della just pushes it out of her<br />
mind. A couple of weeks later, the police come to Della’s door, wanting to talk to her. When they tell her they have evidence that Rob committed a bank<br />
robbery recently, she acts shocked, and denies knowing anything about it. The truth is, she has suspected as much the day he brought the cash home, but has<br />
been reluctant to say something. Rob has ensured her a $100,000 cut of the m<strong>on</strong>ey, and she would hate for the authorities to carry it all away.<br />
Throughout the investigati<strong>on</strong>, in this example of aiding and abetting, Della denies any involvement with, or even knowledge of the crime. Della, by her acti<strong>on</strong>s<br />
(or failure to tell what she knows), is aiding and abetting her boyfriend’s crime. https://legaldicti<strong>on</strong>ary.net/aiding-and-abetting/<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
The Auditor as an Agent<br />
As a representative of a company, an individual auditor can unknowingly acquire legal liability in<br />
several areas.<br />
• Auditor Making Empty Statement (refrain from)<br />
First, the auditor might make statements that an auditee uses to make decisi<strong>on</strong>s. If these<br />
statements are later shown to be untrue, the auditee might have recourse against the auditor’s<br />
company for damages. For example, if a third- party auditor told the auditee that the auditee’s<br />
company would get a discount <strong>on</strong> insurance if it were compliant with ISO 9001, and the auditee<br />
used that informati<strong>on</strong> as a reas<strong>on</strong> for deciding to implement ISO 9001, then the auditee might<br />
recover damages if no discount was forthcoming.<br />
• Telling Auditee How to Do His Work (refrain from)<br />
An auditor also has to be careful not to tell the auditee how to do his or her work or what<br />
decisi<strong>on</strong>s to make. If an auditee relies <strong>on</strong> the auditor’s words and subsequently fails to provide a<br />
good product or service, ensure compliance to governmental regulati<strong>on</strong>s, or obtain registrati<strong>on</strong>,<br />
the auditee might recover damages. Also, if an auditor provides guidance, even if the guidance<br />
fixes the problem, the auditor still owns the soluti<strong>on</strong>. If the recommended soluti<strong>on</strong> is not the best,<br />
there may be malicious compliance that will reflect back <strong>on</strong> the auditor.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
The Auditor as an Agent<br />
As a representative of a company, an individual auditor can<br />
unknowingly acquire legal liability in several areas.<br />
• Auditor Making Empty Statement (refrain from)<br />
First, the auditor might make statements that an auditee uses to<br />
make decisi<strong>on</strong>s. If these statements are later shown to be<br />
untrue, the auditee might have recourse against the auditor’s<br />
company for damages. For example, if a third- party auditor told<br />
the auditee that the auditee’s company would get a discount <strong>on</strong><br />
insurance if it were compliant with ISO 9001, and the auditee<br />
used that informati<strong>on</strong> as a reas<strong>on</strong> for deciding to implement ISO<br />
9001, then the auditee might recover damages if no discount<br />
was forthcoming.<br />
• Telling Auditee How to Do His Work (refrain from)<br />
An auditor also has to be careful not to tell the auditee how to<br />
do his or her work or what decisi<strong>on</strong>s to make. If an auditee relies<br />
<strong>on</strong> the auditor’s words and subsequently fails to provide a good<br />
product or service, ensure compliance to governmental<br />
regulati<strong>on</strong>s, or obtain registrati<strong>on</strong>, the auditee might recover<br />
damages. Also, if an auditor provides guidance, even if the<br />
guidance fixes the problem, the auditor still owns the soluti<strong>on</strong>. If<br />
the recommended soluti<strong>on</strong> is not the best, there may be<br />
malicious compliance that will reflect back <strong>on</strong> the auditor.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Registrar/certificati<strong>on</strong> organizati<strong>on</strong>s and their auditors face a special liability during the audit and after<br />
registrati<strong>on</strong>/certificati<strong>on</strong>. An organizati<strong>on</strong> certifying that others meet a set of standards must use reas<strong>on</strong>able<br />
care or competency in certifying. The auditor must follow the procedures of the certificati<strong>on</strong> body during the<br />
audit process and base the certificati<strong>on</strong> recommendati<strong>on</strong> <strong>on</strong> the results of the audit.<br />
The certificati<strong>on</strong> body must have specific procedures and requirements for certificati<strong>on</strong>, and these must be<br />
equally applied to all companies.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE2-Gossip<br />
An auditor discovers that the auditee is shipping defective products.<br />
After verifying and investigating the incident, the auditor records<br />
10 product deficiencies that should be corrected before shipping<br />
resumes. The audit team prioritizes the deficiencies and includes<br />
them in the final report.<br />
The fact that the audit team prioritized the deficiencies means<br />
that it accepted partial resp<strong>on</strong>sibility for the soluti<strong>on</strong>. This makes the<br />
audit team and its company at least partially liable should a problem<br />
involving the defective products surface in the future.<br />
Comments: Aiding and abetting or Violati<strong>on</strong> of Due-Care?<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Proprietary Informati<strong>on</strong><br />
Disclosure of proprietary informati<strong>on</strong> can come about because of the legal process itself. An<br />
auditor completes audit checklists, makes notes of the results of the audit, and often makes<br />
copies of informati<strong>on</strong> supporting the findings of the audit. These notes, completed checklists,<br />
and copies find their way into the audit record and are kept for a specified period of time. If a<br />
lawsuit is initiated during that time, the c<strong>on</strong>tents of the file may become available for ―discovery‖<br />
by the parties to the lawsuit. Records of both internal and external audits are subject to<br />
discovery by parties in a lawsuit. For example, if a supplier to your organizati<strong>on</strong> is party to a<br />
lawsuit and your organizati<strong>on</strong> c<strong>on</strong>ducted an audit (external) of the supplier, your records are<br />
subject to discovery. The same rights of discovery are true for both civil and criminal legal<br />
proceedings. Through discovery, these records can become public. This is <strong>on</strong>e of the main<br />
reas<strong>on</strong>s an auditor should not make copies of or take notes <strong>on</strong> proprietary informati<strong>on</strong> when<br />
auditing a company. It is also a major reas<strong>on</strong> for keeping extraneous comments out of the audit<br />
record. Such comments can come back to haunt an auditor at the most inappropriate time.<br />
Keywords:<br />
an auditor should not make copies of or take notes <strong>on</strong> proprietary informati<strong>on</strong> when auditing a<br />
company.<br />
Meaning: Discovery, in the law of comm<strong>on</strong> law jurisdicti<strong>on</strong>s, is a pre-trial procedure in a lawsuit in which each party, through<br />
the law of civil procedure, can obtain evidence from the other party or parties by means of discovery devices such as a request for<br />
answers to interrogatories, request for producti<strong>on</strong> of documents, request for admissi<strong>on</strong>s and depositi<strong>on</strong>s. Discovery can be<br />
obtained from n<strong>on</strong>-parties using subpoenas ( 法 院 传 票 ). When a discovery request is objected to, the requesting party may seek<br />
the assistance of the court by filing a moti<strong>on</strong> to compel discovery. https://en.wikipedia.org/wiki/Discovery_%28law%29<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE2-Gossip<br />
During an FAA audit of an organizati<strong>on</strong>, the FAA regulator asked to<br />
review the completed internal audit checklists. On <strong>on</strong>e checklist, an<br />
auditor had written ―This procedure is terrible‖ in the margin. The<br />
auditor and the lead auditor spent the next three hours explaining<br />
why the comment was <strong>on</strong> the checklist even though the auditor evaluated<br />
the procedure as satisfactory.<br />
FAA- Federal Aviati<strong>on</strong> Administrati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE2<br />
Audit Record Disclosure<br />
Because most management systems require records indicating that each step is performed by following<br />
documented procedures or methods, there are many documents and records available for both the defense<br />
and the prosecuti<strong>on</strong> in the event of a lawsuit.<br />
• Audit Report<br />
Copies of the audit report must be sent to the client. Clients either designate other organizati<strong>on</strong>s and individuals<br />
to receive copies or do the distributi<strong>on</strong> themselves. In most cases, it is agreed that the auditee will receive a<br />
copy of the audit report.<br />
• Audit Records<br />
The audit records should be treated as c<strong>on</strong>fidential informati<strong>on</strong> and should not be disclosed to internal or<br />
outside entities without prior approval of the client and the auditee.<br />
Accidental or deliberate disclosure of negative audit informati<strong>on</strong> that other companies can use as a basis for<br />
making decisi<strong>on</strong>s that adversely affect the auditee may make the auditor and the auditor’s company liable for<br />
damages. These damages can be c<strong>on</strong>siderable if a major c<strong>on</strong>tract is canceled or awarded to another company<br />
<strong>on</strong> the basis of the audit informati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE2-Gossip<br />
Discovery is a pretrial device used by <strong>on</strong>e party to obtain facts and<br />
informati<strong>on</strong> about the case from the other party (who is this other party or parties) in order to help<br />
prepare for trial. Under federal rules of civil procedure and in states that have adopted similar<br />
rules, tools of discovery include depositi<strong>on</strong> to oral and written questi<strong>on</strong>s, written interrogatories,<br />
producti<strong>on</strong> of documents, permissi<strong>on</strong> to enter land or other property, physical and mental<br />
examinati<strong>on</strong>s, and requests for admissi<strong>on</strong>. In criminal proceedings, discovery emphasizes the<br />
right of the defense to obtain access to evidence necessary to prepare its own case.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
IE2-Gossip<br />
For FDA audits of organizati<strong>on</strong>s, the FDA typically will not request to<br />
see internal audit reports but will ask to see evidence that scheduled<br />
audits were performed. In some cases where there is a serious issue,<br />
the FDA may require review of the internal audit report c<strong>on</strong>tent to<br />
evaluate whether the issue had been found during internal audits.<br />
The potential audiences of the reports should be kept in mind when the<br />
reports are written.<br />
FDA: US Food and Drug Administrati<strong>on</strong><br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
IE3. Audit Credibility<br />
Auditor C<strong>on</strong>duct<br />
Professi<strong>on</strong>alism is defined as the aims and qualities that characterize a professi<strong>on</strong> or a professi<strong>on</strong>al pers<strong>on</strong>.<br />
Auditors must comply with high standards of h<strong>on</strong>esty, integrity, work ethic, diligence, loyalty, and commitment.<br />
Auditing is a professi<strong>on</strong> that requires individuals to c<strong>on</strong>form to certain behaviors for maximum job proficiency.<br />
The book Standards for the Professi<strong>on</strong>al Practice of Internal Auditing, published by the IIA, defines and<br />
amplifies five general standards:<br />
1. Independence<br />
Internal auditors should be independent of the activities they audit<br />
2. Professi<strong>on</strong>al proficiency<br />
Internal audits should be performed with proficiency and due professi<strong>on</strong>al care<br />
3. Scope of work<br />
The scope of the internal audit should encompass the examinati<strong>on</strong> and evaluati<strong>on</strong> of the adequacy and<br />
effectiveness of the organizati<strong>on</strong>’s system of internal c<strong>on</strong>trol and the quality of performance in carrying out<br />
assigned resp<strong>on</strong>sibilities<br />
4. Performance of audit work<br />
Audit work should include planning the audit, examining and evaluating informati<strong>on</strong>, c<strong>on</strong>ducting interviews,<br />
communicating results, and following up<br />
5. Management of the internal auditing department<br />
The director of internal auditing should properly manage the internal auditing department<br />
These general standards could also apply to product, process, and system auditing. People in the auditing field<br />
should be aware of standards of performance in other professi<strong>on</strong>s. A broader knowledge allows the auditor to<br />
quickly understand different and difficult situati<strong>on</strong>s as they arise.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
Communicating with the Auditee<br />
An auditor’s temperament is often the key to a successful audit. A sullen ( 阴 沉 沉 ) or<br />
unfriendly attitude could lead to resistance or malicious compliance.<br />
Overly friendly or garrulous ( 啁 啾 不 休 的 ) behavior could lead to the impressi<strong>on</strong> that the<br />
audit is not serious. The auditor should find an acceptable balance. By approaching an<br />
auditee in a diplomatic and objective manner, the auditor can set a t<strong>on</strong>e of success<br />
for an audit. The auditor must be aware that each auditee views the audit process<br />
differently, <strong>on</strong> the basis of individual management style, culture, pers<strong>on</strong>ality, and<br />
opini<strong>on</strong>s. Many auditees are reluctant to welcome auditors into their world.<br />
Resentment, fear, and anxiety are obstacles that must be overcome. By diplomatically<br />
presenting and maintaining the audit program, the auditor can influence the auditee’s<br />
percepti<strong>on</strong> of the audit functi<strong>on</strong> as well as the overall success of individual audits.<br />
Meaning:<br />
Malicious compliance is the behavior of intenti<strong>on</strong>ally inflicting harm by strictly following<br />
the orders of a superior knowing that compliance with the orders will not have the<br />
intended result. The term usually implies the following of an order in such a way that<br />
ignores the order's intent but follows it to the letter. It is usually d<strong>on</strong>e to injure or harm<br />
a superior while maintaining a sense of legitimacy. A specific form of industrial acti<strong>on</strong><br />
that utilizes this behavior is work-to-rule.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
The auditor can establish good rapport with an auditee early in the audit by being<br />
respectful, courteous, and appreciative of any special arrangements made for the<br />
auditor’s comfort and c<strong>on</strong>venience. By dem<strong>on</strong>strating that the audit has been<br />
adequately planned and prepared for, and by making every effort to maintain the audit<br />
schedule, the auditor projects an image of efficiency and professi<strong>on</strong>alism. Maintaining<br />
open communicati<strong>on</strong> channels throughout an audit is essential. An auditor must listen<br />
attentively during interviews, allow the interviewee adequate resp<strong>on</strong>se time, and<br />
refrain from asking leading questi<strong>on</strong>s. Frequent and timely communicati<strong>on</strong> of findings,<br />
questi<strong>on</strong>s, and c<strong>on</strong>cerns gives both the auditor and the auditee opportunities to<br />
request clarificati<strong>on</strong>s, address corrective acti<strong>on</strong>, examine the scope of the situati<strong>on</strong>,<br />
and discuss the progress of the audit. Additi<strong>on</strong>ally, an auditor can set a positive t<strong>on</strong>e<br />
for an audit by highlighting commendable findings and observati<strong>on</strong>s.<br />
The auditor’s ability to communicate effectively with management sets the t<strong>on</strong>e for the<br />
entire audit and may influence the auditee’s resp<strong>on</strong>se to the audit findings. Auditors<br />
should avoid naming names and should emphasize the purpose of the assessment<br />
of the product, process, or system.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
• Grievances<br />
However, exemplary ( 可 仿 效 ) c<strong>on</strong>duct by an auditor does not prevent an auditee from<br />
making false claims of theft, discriminati<strong>on</strong>, sexual misc<strong>on</strong>duct, or other forms of<br />
unprofessi<strong>on</strong>alism. No <strong>on</strong>e is immune from false accusati<strong>on</strong>s, but disgruntled ( 不 开 心 )<br />
auditees may target auditors who issue unfavorable reports.<br />
Grievance procedures can be abused by the auditee to ―get even‖ with the auditor for<br />
finding problems in the auditee’s area of resp<strong>on</strong>sibility.<br />
• Grievance Or Complaint Procedures<br />
All audit organizati<strong>on</strong>s should have grievance or complaint procedures. The<br />
procedures should include the protecti<strong>on</strong> of the rights of the accuser and the accused.<br />
For audits that represent a high risk of false claims, or when the auditor feels<br />
uncomfortable with a situati<strong>on</strong>, <strong>on</strong>e of the following opti<strong>on</strong>s should be c<strong>on</strong>sidered:<br />
1. A sec<strong>on</strong>d pers<strong>on</strong> should be scheduled to work with the auditor<br />
2. The auditor should use some type of recording device (for example, a digital voice<br />
recorder)<br />
3. An escort should be present to witness interviews between the auditor and the<br />
auditee<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
Audit Ethics<br />
Audit ethics is perhaps the area that demands the most skill from an auditor. Training is<br />
available for enhancing skills in checklist development, interviewing techniques, audit<br />
documentati<strong>on</strong>, follow- up methods, and almost all other phases of an audit. On the other<br />
hand, very little informati<strong>on</strong> is available <strong>on</strong> the topic of audit ethics. An auditor’s use of<br />
questi<strong>on</strong>able or unethical methods during or following an audit can quickly erase any<br />
favorable impressi<strong>on</strong>s and be detrimental to the auditor and the auditing organizati<strong>on</strong> as a<br />
whole.<br />
ISO 19011 c<strong>on</strong>tains six principles of auditing that are:<br />
―prerequisite for providing audit c<strong>on</strong>clusi<strong>on</strong>s that are relevant and sufficient for enabling<br />
auditors working independently from <strong>on</strong>e another to reach similar c<strong>on</strong>clusi<strong>on</strong>s in similar<br />
circumstances.‖<br />
These principles are:<br />
1. Integrity: the foundati<strong>on</strong> of professi<strong>on</strong>alism<br />
Auditors and the pers<strong>on</strong> managing an audit program should:<br />
■ Perform their work with h<strong>on</strong>esty, diligence, and resp<strong>on</strong>sibility;<br />
■ Observe and comply with any applicable legal requirements;<br />
■ Dem<strong>on</strong>strate their competence while performing their work;<br />
■ Perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;<br />
■ Be sensitive to any influences that may be exerted <strong>on</strong> their judgment while carrying<br />
out an audit.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
2. Fair presentati<strong>on</strong>: the obligati<strong>on</strong> to report truthfully and accurately<br />
Audit findings, audit c<strong>on</strong>clusi<strong>on</strong>s and audit reports should reflect truthfully and<br />
accurately the audit activities. Significant obstacles encountered during the audit and<br />
unresolved diverging opini<strong>on</strong>s between the audit team and the auditee should be<br />
reported. The communicati<strong>on</strong> should be truthful, accurate, objective, timely, clear and<br />
complete.<br />
3. Due professi<strong>on</strong>al care: the applicati<strong>on</strong> of diligence and judgment in auditing<br />
Auditors should exercise due care in accordance with the importance of the task they<br />
perform and the c<strong>on</strong>fidence placed in them by the audit client and other interested<br />
parties. An important factor in carrying out their work with due professi<strong>on</strong>al care is<br />
having the ability to make reas<strong>on</strong>ed judgments in all audit situati<strong>on</strong>s.<br />
4. C<strong>on</strong>fidentiality: security of informati<strong>on</strong><br />
Auditors should exercise discreti<strong>on</strong> in the use and protecti<strong>on</strong> of informati<strong>on</strong> acquired<br />
in the course of their duties. Audit informati<strong>on</strong> should not be used inappropriately for<br />
pers<strong>on</strong>al gain by the auditor or the audit client, or in a manner detrimental to the<br />
legitimate interests of the auditee. This c<strong>on</strong>cept includes the proper handling of<br />
sensitive or c<strong>on</strong>fidential informati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
5.Independence:<br />
the basis for the impartiality of the audit and objectivity of the audit c<strong>on</strong>clusi<strong>on</strong>s .<br />
Auditors should be independent of the activity being audited wherever practicable, and<br />
should in all cases act in a manner that is free from bias and c<strong>on</strong>flict of interest. For<br />
internal audits, auditors should be independent from the operating managers of the<br />
functi<strong>on</strong> being audited. Auditors should maintain objectivity throughout the audit<br />
process to ensure that the audit findings and c<strong>on</strong>clusi<strong>on</strong>s are based <strong>on</strong>ly <strong>on</strong> the audit<br />
evidence. For small organizati<strong>on</strong>s, it may not be possible for internal auditors to be<br />
fully independent of the activity being audited, but every effort should be made to<br />
remove bias and encourage objectivity.<br />
6. Evidence-based approach: the rati<strong>on</strong>al method for reaching reliable and<br />
reproducible audit c<strong>on</strong>clusi<strong>on</strong>s in a systematic audit process<br />
Audit evidence should be verifiable. It will in general be based <strong>on</strong> samples of the<br />
informati<strong>on</strong> available, since an audit is c<strong>on</strong>ducted during a finite period of time and<br />
with finite resources. An appropriate use of sampling should be applied, since this is<br />
closely related to the c<strong>on</strong>fidence that can be placed in the audit c<strong>on</strong>clusi<strong>on</strong>s.<br />
These principles should help make the audit an effective, credible, and reliable tool in<br />
support of management policies and c<strong>on</strong>trols by providing informati<strong>on</strong> <strong>on</strong> which an<br />
organizati<strong>on</strong> can act in order to improve its performance. The principles provide a<br />
foundati<strong>on</strong> for the c<strong>on</strong>duct of auditors and pers<strong>on</strong>s managing an audit program.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
AUDIT Functi<strong>on</strong> Credibility<br />
A credible audit is a meaningful audit. Competent individuals who gather and handle all<br />
informati<strong>on</strong> pertaining to the audit in an unbiased and ethical manner provide a credible audit. An<br />
audit group should be structured so that it does not report directly to the manager of the functi<strong>on</strong><br />
being audited. Management must use the audit results appropriately to establish and maintain<br />
the credibility of the program. The misuse of audit results or failure to initiate corrective acti<strong>on</strong>s<br />
will erode the credibility of the audit program, regardless of the performance of the auditors.<br />
Misuse of audit results includes:<br />
• using results as the sole basis for disciplinary acti<strong>on</strong> against individuals in a department,<br />
• evaluating pers<strong>on</strong>nel performance against goals and objectives,<br />
• and deciding pay raise, b<strong>on</strong>us, or perk ( 额 外 补 贴 ) .<br />
Using a knowledgeable, experienced, skilled, capable, and well-trained auditor is the most<br />
effective way to enhance the credibility of the audit functi<strong>on</strong>. Becoming an <strong>ASQ</strong> Certified Quality<br />
Auditor is <strong>on</strong>e way for an auditor to dem<strong>on</strong>strate knowledge. Many organizati<strong>on</strong>s have their own<br />
auditor qualificati<strong>on</strong> and/or certificati<strong>on</strong> process to ensure auditors are knowledgeable and<br />
capable. The use of unqualified auditors who possess little knowledge or who do not have the<br />
ability to assist management in making good decisi<strong>on</strong>s or improving a process can discredit the<br />
entire audit process.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
A good auditor does not have to be an expert in the area being audited, but the auditor does<br />
need to be knowledgeable in the discipline of auditing. The auditor needs to have an<br />
understanding of what is being observed.<br />
At times, an auditor must be able to grasp that understanding in minutes. When auditors need<br />
help, they should ask another member of the audit team to verify an observati<strong>on</strong> or to assist in<br />
other ways. Auditors need to be able to communicate effectively, both orally and in writing. A<br />
large part of the job c<strong>on</strong>sists of interviewing. A good auditor must ask intelligent, proper<br />
questi<strong>on</strong>s and listen attentively. An auditor needs to be tactful and offer feedback in a positive,<br />
n<strong>on</strong>-intimidating manner. An auditor needs to be especially c<strong>on</strong>siderate of an auditee’s<br />
employees. The audit process is disruptive to daily operati<strong>on</strong>s and can inc<strong>on</strong>venience<br />
employees. The auditor shows respect for and sensitivity to those being audited by sticking to<br />
the proposed audit schedule and not retaining employees through their meal or refreshment<br />
breaks. If people see the audit process as a nuisance, they are less likely to cooperate, and the<br />
auditor runs the risk of being unable to complete the assignment well or <strong>on</strong> time.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
An auditor aims to keep the credibility of the audit functi<strong>on</strong> <strong>on</strong> a high plane. The<br />
auditor does this by looking at informati<strong>on</strong> objectively and avoiding ethical c<strong>on</strong>flicts.<br />
An auditee must trust that an auditor will not divulge proprietary informati<strong>on</strong> to<br />
competitors or other outsiders who can use it to their benefit. Even internally, auditors<br />
must be careful to maintain c<strong>on</strong>fidentiality. This is especially true when the locati<strong>on</strong>s or<br />
departments report to different management. Following a code of ethics is not the sole<br />
resp<strong>on</strong>sibility of the auditor. Every<strong>on</strong>e involved in the process must practice and<br />
promote ethics. Audit program managers and audit functi<strong>on</strong>s/departments should be<br />
resp<strong>on</strong>sible for promoting and m<strong>on</strong>itoring ethical behavior throughout the audit<br />
functi<strong>on</strong> and requiring auditors to adhere to a code of ethics.<br />
Higher levels of ethical c<strong>on</strong>duct can be achieved <strong>on</strong>ly when management actively<br />
promotes this c<strong>on</strong>duct and when auditors are supported instead of being left to fend<br />
for themselves. The credibility of the audit functi<strong>on</strong> is enhanced when the role of the<br />
audit functi<strong>on</strong> is communicated and understood by all stakeholders, when the auditors<br />
act professi<strong>on</strong>ally, and when the program is professi<strong>on</strong>ally managed. Fear of the audit<br />
functi<strong>on</strong> will reduce its credibility. The audit functi<strong>on</strong> should be managed and made<br />
accountable in the same way as other functi<strong>on</strong>s within the organizati<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
IE3-Gossip<br />
In a closing meeting at a supplier audit, the auditee asked the name<br />
of the pers<strong>on</strong> involved with every negative finding. These individuals<br />
were brought to the meeting room by the auditee management. It was<br />
a very uncomfortable situati<strong>on</strong> for the auditor and for those being singled<br />
out as having caused the n<strong>on</strong>c<strong>on</strong>formances, some of which were<br />
minor issues. The auditor should make every effort to emphasize that<br />
a negative finding is not meant to point fingers at a specific pers<strong>on</strong> but<br />
to identify a gap in c<strong>on</strong>formance with a requirement.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
IE3-Gossip<br />
While performing an audit, an auditor found several points where<br />
a specific auditee was not following procedures. The auditee was<br />
informed during the interview that these would show up in the audit<br />
report. Unknown to the auditor, the auditee immediately filed a formal<br />
written complaint against the auditor, claiming unprofessi<strong>on</strong>al<br />
c<strong>on</strong>duct and lack of objectivity. After an extensive investigati<strong>on</strong> (<strong>on</strong>e<br />
that was not kept c<strong>on</strong>fidential and that damaged the auditor’s professi<strong>on</strong>al<br />
reputati<strong>on</strong>), the end result was that there was no basis for<br />
the complaint, and so it was dismissed. Because of this investigati<strong>on</strong>,<br />
n<strong>on</strong>e of the auditor’s c<strong>on</strong>cerns were allowed to be included in the<br />
audit report.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
IE3-Gossip<br />
I am familiar with the attitude of <strong>on</strong>e company in choosing members<br />
for its internal audit group. Rather than selecting its best employees<br />
and training them as auditors, this company uses the audit group as<br />
a means of relieving its worst employees from critical areas in the<br />
organizati<strong>on</strong>. These people are completely wr<strong>on</strong>g for this positi<strong>on</strong>.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> IE3<br />
IE3-Gossip<br />
As an auditee, I had received an audit agenda for a third- party audit.<br />
The first item <strong>on</strong> the agenda was a quick plant tour. However, as we<br />
started the tour, the auditor requested to see a certain area of the plant<br />
not scheduled for that audit. As we were about to leave the area, he<br />
said, ―I know it’s not <strong>on</strong> the agenda, but I would like to ask a couple<br />
of questi<strong>on</strong>s here. It w<strong>on</strong>’t take l<strong>on</strong>g; I d<strong>on</strong>’t want to get off schedule,<br />
but I’d like to start here.‖ A day and a half later, the auditor was still<br />
in that area asking questi<strong>on</strong>s. He never audited another department<br />
in the entire facility.<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
<strong>Part</strong> II<br />
Audit Process<br />
[42 of the <strong>CQA</strong> Exam Questi<strong>on</strong>s or 28 percent]<br />
Chapter 6 Audit Preparati<strong>on</strong> and Planning/<strong>Part</strong> IIA<br />
Chapter 7 Audit Performance/<strong>Part</strong> IIB<br />
Chapter 8 Audit Reporting/<strong>Part</strong> IIC<br />
Chapter 9 Audit Follow- up and Closure/<strong>Part</strong> IID<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Fi<strong>on</strong> Zhang Zhang
t least <strong>on</strong>e academic expert recommends[3] the following:<br />
Charlie Ch<strong>on</strong>g/ Fi<strong>on</strong> Zhang