Internal Audit Procedure:

Transcription

1 Internal Audit Procedure: L3-MCP-02 Version No : 1.1

2 Revision History REVISION DATE PREPARED BY APPROVED BY DESCRIPTION Original Apr-2015 Process Owner MR Initial Version Jul-2016 Process Owner MR Reviewed Version May-2017 Process Owner MR Reviewed Version May-2018 Process Owner MR Section 1 and 5.4(a)- QMS 9001:2008 replaced by QMS 9001:2015 Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 1 of 15

3 Table of Contents 1. Purpose: Scope: Responsibility: Process Flow: Process Description: Frequency IA Calendar IA Plan (Schedule) Focus areas of internal audit Responsibilities Conducting Internal Audit Report Writing - Classifying the Findings during NC Reporting Audit Closure Actions Follow-up s Records: References:... 9 QF-IA01: Internal Audit Calendar QF-IA02: Internal Audit Plan (Schedule) QF-IA03: Audit Observation Sheet QF-IA04: Internal Audit Non-Conformance Report Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 2 of 15

4 1. Purpose: To lay down a procedure to verify that the policies, processes and activities documented by the organization are performed in compliance with requirements of QMS (ISO 9001:2015) and ISMS (ISO27001:2013) standards; and To verify the effectiveness of the QMS / ISMS, by carrying out planned adequacy checks (internal audits), and to document the results of the audits. 2. Scope: Applicable for all functions and processes performed by the scope organization, with following definitions applicable to the terminologies: Audit Term Audit Criteria Audit Evidence Auditor Auditee Audit Findings Audit Team Observation Opportunities for Improvement (OFI) Nonconformity (NC) Definition Systematic, documented process of obtaining audit evidence and evaluating it objectively to determine the extent of fulfillment of audit criteria. Set of policies, procedures or requirements used as a reference Verifiable records, documents, statements of fact, or other information, which is relevant to the audit criteria A person who conducts the audit A person who responds to the queries of the auditor by showing the evidences/records Results of the evaluation of the collected audit evidence against audit criteria One or more persons conducting an audit, supported if needed, by technical expert(s) including an auditor appointed as a team leader. The audit team may include auditors-in-training. A 'Potential non-conformance'. In other words, it may currently suffice as per the requirement of standard but unless improved, it may result into a nonconformance in future. These are suggestions for improvement of a process in an optimum manner. However, in this kind of findings auditee has a choice to take corrective action as directed or in any modified manner. Non-compliance (not meeting) to a requirement as specified in the standard or the organization's documented policies, procedures and processes. This can be further split into: Major NC: This can arise due to failure of system, lack of system requirements, or significant number of minor nonconformances. Minor NC: This is an isolated case of failure to comply with defined procedure or a requirement specified in the standard - a minor problem area that warrants attention. Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 3 of 15

5 3. Responsibility: MR findings Internal Auditors Auditees Plan internal audit; record keeping and follow-up for closure of Conduct audit, prepare audit report and submit to MR Participate during audit, show audit evidences asked during audit 4. Process Flow: Establish Audit Schedule Plan for Audit Inform the participants Meet with Management Conduct Audit Prepare for Audit Corrective Action Report to Management Closure & Escalation Top Management Review 5. Process Description: 5.1 Frequency The internal audits shall be carried out twice a year; i.e. - once every six (6) months. 5.2 IA Calendar MR shall prepare an Internal Audit Calendar (QF-IA01) for entire year covering all the functions and processes within each defined audit frequency interval. 5.3 IA Plan (Schedule) Internal Audit Plan (QF-IA02) (or Schedule) is prepared prior to each internal audit. The audit plan (schedule) indicating date, time and scope of the audit for each function/process shall be communicated to the concerned auditee at least 3 days before carrying out the audit. Co-ordination between the Process Owners and the MR to prepare audit plan and the frequency is based on: the results of the previous audits, the significance of the information security aspects and risks involved, and Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 4 of 15

6 the directions from the top management 5.4 Focus areas of internal audit The internal audit shall focus on following aspects: Conformance with ISO 9001:2015 / ISO 27001:2013 standards requirements; Compliance with applicable legal, statutory, regulatory and contractual requirements; Extent of employee awareness (a) of defined polices / processes for managing process quality and information security aspects; and (b) their roles and responsibilities towards quality and information security policies, Adequacy and effectiveness of the trainings as well as documented procedures, to control and manage significant information security aspects; Validity and accuracy for monitoring and measuring observations/ results reported; Preparedness to judiciously and efficiently deal with emergencies related to IT disaster / crisis management to business continuity aspects in such situations. Sl. No Responsibilities Function Planning and arranging Internal / External Audits 2 Conducting Internal Audits 3 Documenting Audit Findings 4 5 Communicating Audit Findings to concerned persons / departments Communicating Audit findings to top management 6 Closure of audit findings 7 Verifying closure of audit findings Responsibility Primary Secondary MR - Internal Auditors Audit Team Leader Audit Team Leader MR Respective Auditee Internal Auditors Audit Team Leader Internal Auditors MR Respective Process Owner Respective Process Owner MR Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 5 of 15

7 5.6 Conducting Internal Audit The MR shall identify auditors from a pool of trained internal auditors within the organization who shall audit each function/process identified in the internal audit plan/schedule. Allocation of auditors to conduct the audit shall be from crossfunctional. MR shall nominate any one auditor as a team leader, on a rotational basis and guide the audit process. The audit team leader shall assure that the audit team is adequately prepared to initiate the audit. o The lead audit team leader along with audit team may develop an audit checklist for one or more functions/processes under audit. o The audit team may prepare and use an audit checklist if required. The audit scope may include, if found necessary by the MR, the effectiveness of closure of non-conformance from previous audits. MR, if required, may request a representation from Senior Management cadre to act as a neutral observer during the internal audit sessions to oversee the proceedings / audit quality. o The observer shall not participate in the audit either in the role of an auditor or in a role of an auditee. o Role of the observer shall be to provide impartial report to the top management on the fairness of an audit process conducted by the audit team and responses provided by the auditees. Auditor shall generally conduct the audit at the auditee desk. Auditee shall have the opportunity to explain the queries to the satisfaction of auditor. Auditor shall verify the responses to their queries against documented processes / procedures and/or the requirements specified in the ISO 9001:2015 / ISO 27001:2013 standard/s. Auditor may refer to their checklist to get information on the area under audit. Auditor (or the audit team) shall record their queries and audit evidences found in the Audit Observation Sheet (QF-IA03). The audit team leader shall summarize the findings in consultation with the audit team and report the audit findings to the auditee(s) and the Process Owner. 5.7 Report Writing - Classifying the Findings during NC Reporting From the Audit Observation Sheet (QF-IA03), the audit team leader will prepare an Internal Audit Non-Conformance Report (QF-IA04)(abbreviation NCR) for each reported non-conformances. An audit finding can be classified as: o Opportunity for Improvement (abbreviation OFI) These will be primarily suggested improvements by audit team as part of 'best practice' implementation. Auditee and the Process Owner have an option to accept the suggestion as-is / with modification or reject. o Non-Conformance (abbreviation NC) Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 6 of 15

8 These are non-fulfillment of a requirement, i.e., non-fulfillment of audit criteria / documented policies, processes and procedures / requirements specified in the ISO9001 or ISO27001 standards / non-fulfillment of legal, statutory, regulatory, contractual requirements. NC s can be further classified as MAJOR, MINOR, OBSERVATION wherein Major NC s A single deficiency or requirement of the standard not being implemented in the management system or non-adherence to any legal & other requirement Lack of management system documentation to satisfy requirements established in the standard or the organization s procedures Management system documentation not being implemented consistently throughout the organization Numerous (more than 3 in number) minor non-conformities for similar requirement repeated in multiple function / process that, collectively, indicate an overall weakness of the management system. Minor NC s Overall management system is defined, and documented procedures exist. An acceptable level of implementation exists overall, but there are minor discrepancies or lapses in the compliance of standard s requirements and/or documentation. Observation NC's These are adverse condition indicating the system as documented and implemented but not effective enough to ensure achievement of pre-defined objectives. These stand out as 'potential non-conformances', and if action not taken may result into a non-conformance in future. Concluding the audit findings - this requires following issues to be addressed: o Extent of conformity of the management system with the audit criteria; o The effective implementation, maintenance and improvement of the management system; and o The capability of management review process to ensure the continuing suitability, adequacy, effectiveness and improvement of the management system. o In order to classify the NC as a Major or Minor, the audit team needs to think in terms of: What could go wrong if the non-conformity remains uncorrected? What is the likely-hood of such a thing going wrong? o In case of any disagreement in the audit findings, the audit team leader will discuss the issue with the concerned auditee or the Process Owner to agree on the finding. o MR shall arbitrate in the discussion with authority to decide on the outcome. o In case there it is a difficultly to arrive at a conclusion, benefit of doubt shall be given to the Auditee and the NC will be dropped. Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 7 of 15

9 5.8 Audit Closure Actions Auditor / Audit Team Leader shall ensure that Internal Audit Non- Conformance Report (QF-IA04) is completed by Auditee/Process Owner before submitting to MR for filing and follow-up. o Corrective actions taken / likely to be taken along with target time must be mentioned in Internal Audit Non-Conformance Report (QF-IA04) in space provided. All NCR's and Observation Sheets per audit cycle shall be maintained by MR for a period of minimum one (1) year. Non-conformances (NCR's) reported shall be addressed through Nonconformity and Corrective Actions Procedure (L3-MCP-04) using Corrective & Preventive Actions (CAPA) Sheet. All auditees and Process Owners to ensure that during internal / external audits all the reported Nonconformities (NC's) pertaining to their work areas to be closed within 2 weeks or earlier. o In case the closure of the nonconformity cannot be done within the 2 weeks timedue to complexity of resolution / dependence of management decision, the same may be taken up by auditee and Process Owner with MR and if required with Senior Management and determine an appropriate target timeline for closure, based on justified reasons. 5.9 Follow-up s MR to use Corrective & Preventive Actions (CAPA) Sheet, specified in L3- MCP-04: Nonconformity and Corrective Actions Procedure) for periodic follow-up of findings (Nonconformities) pending closure. MR has to arrange, to verify the corrective action after the target date or during the next audit schedule of that area based on the status and importance of the activity and the auditor has to close the nonconformity report after satisfying himself on the effectiveness of the corrective action. o In case the auditee is found not taking actions despite reminders, the same may be escalated to the Process Owner and if required to the senior management level (based on status and importance of the activity). Auditor shall close with relevant comments in the section provided in Internal Audit Non-Conformance Report (QF-IA04). Based on closure comments received in the NCR's, MR shall update the relevant sections provided in Corrective & Preventive Actions (CAPA) Sheet (specified in L3-MCP-04: Nonconformity and Corrective Actions Procedure). Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 8 of 15

10 6. Records: Sl No Record ID Name / Description Location Retenti on Period 1 QF-IA01 Internal Audit Calendar MR 1 year 2 QF-IA02 Internal Audit Plan (Schedule) MR 1 year 3 QF-IA03 Audit Observation Sheet MR 1 year 4 QF-IA04 Internal Audit Non Conformance Report MR 2 year Dispositi on Type Tearing / Deletion Tearing / Deletion Tearing / Deletion Tearing / Deletion 7. References: ISO 9001:2015, clause ISO 27001:2013, clause 9.2 ISO Guidelines for Auditing Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 9 of 15

11 QF-IA01: Internal Audit Calendar Year: Revision No. : Function / Process Ja n Fe b Ma r Ap r May Month Ju Jul Au n g Se p Oc t No v De c Signature (MR) Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 10 of 15

12 QF-IA02: Internal Audit Plan (Schedule) Date(s) of audit: S Function / Auditee Auditor Date and Scope Remarks, N Process Time if any o 1 HR 1,2,3 A,b, 25-nov 10am-12pm 2 Admin A 3 IT 4 Branch - Delhi 5 Branch - Gurgaon Note: The auditors shall conduct the audit as per the above schedule. Auditor can do minor adjustments in date and time in consultation with Auditee. The Auditor shall hand over the Audit Non-Conformity report duly signed by Auditee to the MR. Signature (MR) Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 11 of 15

13 QF-IA03: Audit Observation Sheet The sheet shall be maintained in hardcopy. Date(s) of audit: Function/Process: Auditor(s): Auditee(s): S.No Query / Audit Look-in Audit Evidence Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 12 of 15

14 QF-IA04: Internal Audit Non-Conformance Report Date Audit of Dept./ Function/ Process NC No. Auditee(s) Auditor(s ) ISO Standard & clause reference Findings along with objective evidence Major, Minor or Observation Signature of Auditee: Corrections Made: Signature of Auditor: Signature of Auditee Root Cause Analysis and Corrective Action Plan: Signature of Auditee Corrective Actions Taken: Signature of Auditee Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 13 of 15

15 Verification of Corrective Actions for Effectiveness: Signature of Auditor Non Conformity Report reviewed for effectiveness and decision: Report closed: YES Remarks, if any: Signature of MR NO Version No: 1.1 Revision Date :15-May-2018 Accessibility: Internal Page 14 of 15