Audit Process

SI NO.Table of contents
2Scope of Applicability
3Reference documents

5.1 Procedure for Initial Certification Audit
5.1.1 Procedures of Stage I Audit
5.1.2 Procedures for Stage II Audit Opening meeting Onsite Audit Identifying and recording audit findings Preparing audit conclusions meeting
5.1.3 Audit Programme
5.2 Procedures for Surveillance Audits
5.3 Procedures for Recertification Audits
5.4 Procedures for Special Audits
5.4.1 Expanding scope
5.4.2 Short-notice audits
6Records – Other Applicable Document
7Revision Status

1. Purpose

The purpose of this procedure is to detail the auditing process that would be undertaken by the KIHT Certification Services (KCS). This document shall list and describe the activities that would be performed by KCS during the audit process at the client site.

2. Scope of Applicability

This procedure applies to the following auditing processes performed by KCS

  1. Initial certification audit
  2. Surveillance audit
  3. Recertification audit

3. Reference Documents/Standards (latest version is applicable unless otherwise mentioned)

  • ISO/IEC 17021-1:2015 – Conformity assessment — Requirements for bodies providing audit and certification of management systems- Part 1: Requirements
  • ISO/IEC 17021-3 – Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 3: Competence requirements for auditing and certification of quality management systems
  • IAF MD-9 – Application of ISO/IEC 17021-1 in the Field of Medical Device Quality Management Systems (Latest version is applicable)
  • IAF MD 4 – Use of information and communication technology (ICT) for auditing and assessment purpose
  • ISO 19011: 2018 – Guidelines for auditing management systems

4. Responsibilities

  1. All auditing processes will be conducted by Auditors approved by the certification manager.
  2. The concerned auditors are responsible for carrying out the audits as per the procedure.

5. Procedures

Auditing processes include three types of audits:

a. Initial certification audit – This audit consists of two stages

  • Stage 1 audit – Stage 1 audit is performed to ensure the readiness of the client for the detailed Stage 2 audit.
  • Stage 2 audit – Stage 2 audit is a detailed thorough assessment performed to establish whether the organization’s Management Systems is compliant with the relevant standard and seek evidence that the organization is following the documentation.

b.  Surveillance audits – These audits are done annually to ensure that the management system of the client is working effectively after the initial audit.

c.  Re-certification audits – These are performed after every three years to ensure that the client is maintaining to adhere to the management system standards and no major changes have occurred since the previous certification.

5.1 Procedure for the Initial certification audit

Once, a formal contract is signed, KCS will appoint a competent audit team and notify the client of the team members. If required, KCS will add technical experts (TE) to make the team competent.

KCS shall share the CVs of the nominated audit team members with the client to identify any conflict-of-interest issues. If any objection is received from the client, KCS will accordingly revise the team with justified reason.

Initial certification audit shall be conducted in two stages: Stage-I audit, and stage-II audit.

5.1.1 Procedure for Stage 1 audit process

KCS auditors shall perform the Stage 1 audit on-site based on contract review and relevant IAF documents. In the case of multiple locations, the Stage 1 audit will be conducted at the main/head office.

KCS audit team leader (TL) shall develop an audit plan for the Stage 1 audit, share and discuss it with the client and agree upon a date for conducting the audit.

TL shall notify the client of the documents required to be submitted on the day of the audit.

On the start day of the Stage 1 audit, TL shall conduct an opening meeting on-site. TL shall introduce the audit team and explain the Stage 1 audit process and address any questions either side might have.

The audit team shall then meet the objectives of Stage 1 as mentioned below:

  1. review the client’s management system documented information.
  2. evaluate the client’s site-specific conditions and undertake discussions with the client’s personnel to determine the preparedness for stage 2.
  3. review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives, and operation of the management system.
  4. obtain necessary information regarding the scope of the management system, including
    • the client’s site(s);
    • processes and equipment used;
    • levels of controls established (particularly in case of multisite clients);
    • applicable statutory and regulatory requirements.
  5. review the allocation of resources for stage 2 and agree on the details of stage 2 with the client
  6. provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative documents.
  7. evaluate if the internal audits and management reviews are being planned and performed and that the level of implementation of the management system substantiates that the client is ready for stage 2.

KCS shall ask for additional details and clarifications if necessary to ensure that the management system has been efficiently implemented and the client is ready to move forward with the Stage 2 audit.

Based on the results from the above-mentioned actions, a Stage 1 audit report shall be prepared by the TL containing

  • documented conclusions with regard to the fulfilment of the stage 1 objectives and the readiness for stage 2
  • identification of any areas of concern that could be classified as nonconformity during stage 2

At the end of the Stage 1 audit, a closing meeting shall be held with the client. The Stage 1 audit report shall be handed over to the organization. Any concerns or suggestions shall be discussed, and the result communicated.

If there are no areas of concern, then the audit team shall recommend the client for Stage 2 audit without any limitations.

If the audit team identifies areas of concern, then the audit team shall recommend the client for a Stage 2 audit or recommend after the implementation of suitable actions to address the identified areas of concern based on the findings.

For any significant changes which would impact the management system, verification by the audit team will be necessary after corrective actions have been implemented.

The interval between stage 1 and stage 2 will be determined based on the client to resolve areas of concern identified during stage 1. Accordingly, the audit team may revise its arrangements for stage 2.

If there have been no corrective actions on concerns raised during the stage-1 audit and communication from the client for 6 months, there shall be a repeat of the Stage 1 audit.

When the client is ready for the Stage 2 audit, the TL shall prepare a Stage 2 audit plan and communicate to the applicant organization.

5.1.2   Procedure for the Stage 2 audit process   

Upon completion of the Stage 1 audit, the audit team leader shall contact the client and notify the client regarding the Stage 2 audit.

The TL shall provide a plan for the Stage 2 audit and set up dates and times for the same.

Stage 2 audit shall be performed on-site and on workdays when all production and support operations are functional.

Stage 2 shall include the auditing of at least the following:

  1. information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
  2. performance monitoring, measuring, reporting, and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative documents);
  3. the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
  4. operational control of the client’s processes;
  5. internal auditing and management review;
  6. management responsibility for the client’s policies. Opening meeting

During the Stage 2 audit, the audit team shall perform the following:

The TL shall conduct the opening meeting. The meeting will be held with the client’s management and, where appropriate, those responsible for the functions or processes to be audited. The opening meeting shall consider the following:

  1. introduction of the participants, including an outline of their roles;
  2. confirmation of the scope of certification;
  3. confirmation of the audit plan (including type and scope of audit, objectives and criteria), any changes, and other relevant arrangements with the client, such as the date and time for the closing meeting, interim meetings between the audit team and the client’s management;
  4. confirmation of formal communication channels between the audit team and the client;
  5. confirmation that the resources and facilities needed by the audit team are available;
  6. confirmation of matters relating to confidentiality;
  7. confirmation of relevant work safety, emergency and security procedures for the audit team;
  8. confirmation of the availability, roles and identities of any guides and observers;
  9. the method of reporting, including any grading of audit findings;
  10. information about the conditions under which the audit may be prematurely terminated;
  11. confirmation that the audit team leader and audit team representing KCS is responsible for the audit and shall be in control of executing the audit plan including audit activities and audit trails;
  12. confirmation of the status of findings of the previous review or audit, if applicable;
  13. methods and procedures to be used to conduct the audit based on sampling;
  14. confirmation of the language to be used during the audit;
  15. confirmation that, during the audit, the client will be kept informed of audit progress and any concerns;
  16. opportunity for the client to ask questions.  On-site Audit

The audit shall be conducted by the audit team as per the audit plan. During this step, the audit team will ensure that all the objectives of the Stage 2 audit as mentioned in the initial part of this section are being met by the applicant/client.

An auditor might be accompanied by a guide who is well versed with the activities of the department under audit.

The information necessary for determining compliance to management system standard shall be obtained through the following:   Interviews:

  The audit team shall interview employees on-site during normal work hours.

Temporary and part-time employees shall also be interviewed.

Staff from each relevant department will be interviewed.

The interviews will be spanned across the organizational hierarchy – management, middle management, and labour staff shall be interviewed.

More than one person would be interviewed regarding a particular process/equipment.

The team will question the staff about his/her role in the department, ask him/her to demonstrate his/her job and follow their instruction manual. The competency of the staff is met.   Observation, Inspection, Sampling:

  The auditors will observe procedures and processes during normal work hours of operation.

One process from each department will be observed and inspected.

When performing an observation, the auditor will physically observe the client’s personnel performing an internal control procedure. For instance, the auditor will observe the supervisor counting the number of equipment, before dispatching them for delivery.

When performing an inspection, the auditor will inspect documents for proof that the internal control procedure was performed. For example, an auditor will inspect testing and calibration records/reports for medical equipment before they are sent for packaging.

The sampling size within each procedure/process will be determined based on the size of the data and the risk of the process/equipment. For example, for purchase orders, within a total of 50 purchase orders, 5 random purchase orders would be sampled and checked for quality and conformity to management system standards.  Review of client’s management system documentation

KCS audit team will also request clients for documents such as process manuals, policy and regulatory documents, procedures, work instructions, records and forms and review them.

Documentation from each department would be reviewed as per the plan.

A random document could be reviewed for quality. For example, purchase order documents will be reviewed for supplier information, supervisor’s review and invoices. Information provided on the form will be verified for authenticity.

The audit team will also review internal audit reports and verify effectiveness of the corrective action  implementation against the findings raised.

KCS audit team shall periodically assess audit progress and exchange information among themselves to review the practical application of the management system and assess it for the fulfilment of the requirements of the standard.

Auditors will periodically communicate the progress of the audit along with any audit findings observed.  Identifying and recording audit findings

Audit findings summarizing conformity and detailing non-conformity (NC) shall be identified, classified and recorded to enable an informed certification decision to be made or the certification to be maintained.

Opportunities for improvement may be identified and recorded. Audit findings, however, which are NCs, shall not be recorded as opportunities for improvement.

A finding of NC shall be recorded against a specific requirement, and shall contain a clear statement of the NC, identifying in detail the objective evidence on which the NC is based. NCs shall be discussed with the client/organization to ensure that the evidence is accurate and that the NCs are understood. The auditor however shall refrain from suggesting the cause of NCs or their solution.

NCs could be of two types:

Major NC – NC that affects the capability of the management system to achieve the intended results. A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

Minor NC – NC that does not affect the capability of the management system to achieve the intended results

The audit team leader shall attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, and unresolved points shall be recorded.   Preparing audit conclusions

Under the responsibility of the audit team leader and prior to the closing meeting, the audit team shall:

  1. review the audit findings, and any other appropriate information obtained during the audit, against the audit objectives and audit criteria and classify the NCs (minor/major)
  2. agree upon the audit conclusions, taking into account the uncertainty inherent in the audit process;
  3. agree on any necessary follow-up actions;
  4. confirm the appropriateness of the audit programme or identify any modification required for future audits (e.g. scope of certification, audit time or dates, surveillance frequency, audit team competence)

Systematic findings shall be mentioned in the audit report even though in a few places it might have been corrected.

The audit report summarizing the conformities and detailing the non-conformities shall be prepared by the audit team leader.  Closing meeting

The Stage 2 audit shall end with a closing meeting conducted by the audit team leader. During the closing meeting KCS audit team leader shall:

  1. Present the audit report to the client/auditee
  2. Discuss the audit conclusions and may recommend improvements or give suggestions.
  3. Provide the client with a time frame to carry out a root cause analysis of the non-conformity and take corrective action. This shall be subsequently verified by the auditor.
  4. Discuss information about the complaint and appeal handling process.
  5. Give the client the opportunity to clarify any doubts regarding audit findings and resolve any difference of opinion on the same.
  6. A formal report will be submitted to the client by the audit team leader.
  7. KCS will seek feedback on the conduct of the audit from the client.

In order for the client to proceed to the next step of getting certified, NCs must be resolved as per the below time frame:

  • Any major NC must be resolved within 15 days of receiving the NC report from KCS.
  • Any minor NC must be resolved within 30 days of receiving the NC report from KCS.

5.1.3 Audit programme

An audit programme for the full certification cycle shall be developed to clearly identify the audit activity/activities required to demonstrate that the client’s management system fulfils the requirements for certification to the selected standard(s) or other normative document(s).

The audit programme for the certification cycle shall cover the complete management system requirements.

The audit programme for the initial certification shall include a two-stage initial audit, surveillance audits in the first and second years following the certification decision, and a recertification audit in the third year prior to the expiration of certification. The first three-year certification cycle begins with the certification decision. Subsequent cycles begin with the recertification decision. The determination of the audit programme and any subsequent adjustments shall consider the size of the client, the scope and complexity of its management system, products and processes as well as demonstrated level of management system effectiveness and the results of any previous audits.

The following list contains additional items that can be considered when developing or revising an audit programme, they might also need to be addressed when determining the audit scope and developing the audit plan:

  1. complaints received by KCS about the client;
  2. combined, integrated or joint audit
  3. changes to the certification requirements;
  4. changes to legal requirements;
  5. changes to accreditation requirements;
  6. organizational performance data (e.g. defect levels, key performance indicators data);
  7. relevant interested parties’ concerns.

5.2   Procedure for Surveillance Audits

Surveillance audits shall be conducted at least once a calendar year, except in recertification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date.

Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that KCS can maintain confidence that the client’s certified management system continues to fulfil requirements between recertification audits.

Each surveillance for the relevant management system standard shall include:

  1. internal audits and management review;
  2. a review of actions taken on nonconformities identified during the previous audit;
  3. complaints handling;
  4. effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s);
  5. progress of planned activities aimed at continual improvement;
  6. continuing operational control;
  7. review of any changes;
  8. use of marks and/or any other reference to certification

5.3   Procedure for Recertification Audits

The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification.

A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative documents. This shall be planned and conducted in due time to enable timely renewal before the certificate expiry date.

The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.

Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation)

The recertification audit shall include an on-site audit that addresses the following:

  1. the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification
  2. demonstrated commitment to maintaining the effectiveness and improvement of the management system to enhance overall performance
  3. the effectiveness of the management system in achieving the certified client’s objectives and the intended results of the respective management system (s)

Following the expiration of certification, KCS can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted.

The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on the prior certification cycle.

5.4 Procedure for Special audits

5.4.1 Expanding scope

KCS, in response to an application for an extension to the scope of a certification already granted, undertake a review of the application and determine any audit activities necessary to decide whether or not the extension may be granted. This may be conducted in conjunction with a surveillance audit.

5.4.2 Short-notice audits

It may be necessary for the KCS to conduct audits of certified clients at short notice to investigate complaints, in response to changes, or as follow up on suspended clients. In such cases,

  1. KCS describes and informs in advance to the certified clients the conditions under which these short-notice visits are to be conducted
  2. KCS exercises additional care in the assignment of the audit team because of the lack of opportunity for the client to object to audit team members.

6.0       Records – Other Applicable Document

  1. Audit plan (F04)
  2. Audit report (Stage 1) [F08]
  3. Audit report (Stage 2) [F09]
  4. List of External/Supporting documents submitted by Client during Stage 1 and Stage 2 audits