Section one

1.1

Answer: According to ISO 9001:2015 definition of competence is ‘’the ability to apply knowledge and
skills to achieve intended results’’. It is as simple as you put your efforts to gain something you want.

1.2

Answer: From ISO19011:2002 - Guidelines for quality or environmental management systems auditing:

Audit scope is extent and boundaries of an audit. For example, the audit scope generally includes a
description of the physical locations, organizational units, activities and processes, as well as the time
period covered.

Audit criteria is set of policies, procedures or requirements. For example, Audit criteria are used as a
reference against which audit evidence is compared.

So basically the scope is who, what, where, when; and the criteria is what you are auditing against,
whether the standard or internal procedures, etc.

1.3

Answer: Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the
organization itself for management purposes and can form the basis for an organization’s self-
declaration of conformity.

The organization shall conduct internal audits at planned intervals to provide information on whether
the quality management system;

1. Conforms to

 The organizations own requirements for its quality management system.

 The requirements of the international standard.

2. Is effectively implemented and maintained.

1.4

Answer:

1- Quality management can no longer be delegated. The Organization’s leaders are responsible for the
QMS being implemented and effective.

2- The established quality policy and quality objectives must be compatible with the context and
strategic direction of the organization.

3- Leadership must ensure integration of the QMS into the organization’s business processes.

4- Leadership must assign the responsibilities and authorities for ensuring that processes are delivering
their intended outputs.
1.5

Answer: Design verification checks whether the software confirms a specification whereas Design
validation checks whether the software meets the requirements and expectations. Verification finds the
bugs early in the development cycle whereas Validation finds the bugs that verification cannot catch. In
other words, verification is theoretical explanation whereas validation is practical example in the field.

Section 2

2.1

Answer: The definitions in ISO9000 is:

Monitoring:

To monitor means to determine the status of an activity, process, or system at different stages or at
different times. In order to determine status, you need to supervise and to continually check and
critically observe the activity, process, or system that is being monitored. For example, Monitoring,
however, may or may not involve specific measurement. While making tea at home, boiling/heating of
water is monitored visually only and no actual measurement of temp carried out.

Measurement:

Measurement is a process that is used to determine a value. In most cases this value will be a quantity.
Monitoring, however, may or may not involve specific measurement. For example, making tea at home,
boiling/heating of water is monitored visually only and no actual measurement of temp carried out.

Measuring equipment:

Measuring equipment is a device that is being used to measure or determine something or value. For
example, boiling water and checking the boiling temperature with a specific device is measuring
equipment as thermometer.

2.2

Answer: There are a range of factors taken under consideration when selecting and retaining external
auditors. In particular, one key consideration is the independence of the auditing process as history and
research has indicated that the success of the external auditor is predominantly based on the probability
that an auditor will both find and report a breach in the financial and accounting systems on an
organization. However, companies will often consider several further characteristics when assessing
audit firm service suitability. The importance organizations place on the various criteria varies from firm
to firm and is typically dependent on the specific needs of that enterprise.

The major factors that are considered in selecting and retaining an auditor include

1. The size of the audit firm

2. The status of ongoing auditor engagements
3. The cost of the auditor firm service and
4. The specialty of service the auditing firm offers.
5. The auditor must meet with management of the company to determine if any internal changes
in control, procedures or other factors have affected company record keeping and reporting.
2.3 a

Answer: For example, the auditor has an engagement with a company to audit the financial statements.
Before signing the audit engagement letter, the auditor requires to obtain some information about the
client, do the client’s due diligence, and assess whether they should reject or accept the engagement. In
this case, if the engagement is readily signed, that means the assessment is already done and accepted.

The documents that auditors use to documents client nature of the business, perform client due
diligence, as well as assessment, are the example of audit working papers.

Answer:

The auditor should prepare the audit documentation on a timely basis and in such a way so as to enable
an experienced auditor, having no previous connection with the audit, to understand:

1- The nature, timing, and extent of the audit procedures performed to comply with ISAs and
applicable legal and regulatory requirements
2- The results of the audit procedures and the audit evidence obtained, and
3- Significant matters arising during the audit.
4- The conclusions reached and significant judgments made in reaching those conclusions.

2.4

Answer: It is recommended that the following outline or subjects are used for conducting the Closing
meeting:

1- Introductions

• Thank the organization for their assistance, co-operation and hospitality

• Deal with any issues of confidentiality

• Emphasize that the auditing process can only sample the Data Protection System at a
particular moment in time

• Ask the management team to defer any questions until after the findings have been presented

2- Presentation of Findings

• Presentation of the detailed findings which involves:

• Confirmation of each non-compliance found

• Agreement to suitable corrective action for each non-compliance

• Indication of timescales for completion of corrective action

• Ask other members of the Audit Team to report if appropriate

• Presentation of an Audit summary including a judgement of the level of Data Protection

compliance achieved by the organization
 • Invite questions for clarification and provide immediate answers wherever possible

3- Post Audit Reporting

• Explain to the management team the nature of summary report they will receive, e.g.
Compliance Audit report together with associated Non-compliance Reports etc.

• Establish the organization’s requirements for distribution of the summary report

4- Audit Follow-up

• Agree the nature of any required follow-up visit, e.g. documentation check, partial re-audit or
full re-audit

• Arranging the timescale for any required follow-up visit.

Section 3

3.1

Answer: The main checklist for checking must include

 management,
 customer,
 requirements,
 policy,
 procedure,
 planning,
 performance,
 objective,
 control,
 monitoring,
 measurement,
 auditing,
 decision
 making,
 corrective action and
 nonconformity.

Expanding upon this, this section requires organization leadership to:

- Implement the process approach and risk-based thinking

- Provide the necessary support to fully implement and sustain the QMS

- Communicating to the organization the importance of conforming to QMS requirements

- Ensuring the QMS meets its goals

- Engage, direct, and support individuals contributing to the QMS (i.e. Provide employees with
training, get employees involved)
 - Create a culture of continuous improvement

The quality of audit evidence is very important to make sure that the conclusion that makes by the
auditor is correct. If the information is not strong or low quality, the audit risks of making incorrect audit
opinions are high. The quality of audit evidence is dependent mainly on the form and source of the
evidence. Here is the detail:

 External Source: The evidence that obtains directly from external parties like customers,
suppliers, or banks are more reliable than obtaining from clients. For example, accounts
receivable confirmations that obtain from client’s customers are more reliable than the
records that prepare by clients.
 Prepare by Auditor: The evidence that prepares by auditors themselves are more reliable than
the one that prepares by or obtains from the client. For example, the bank reconciliation that
prepares by the auditor is more reliable than the bank reconciliation prepared by the
accountant.
 Prepare by client: The level of reliability of evidence that obtains from clients are depending
on the reliability of client internal control.
 Written form: The audit evidence that forms in writing is more reliable than the one that
forms in verbal. For example, management confirmation in the form of email is more reliable
than the confirmation by verbal.
 Original Form: Original invoices that use to support the payments transactions are more
reliable than the copy invoices.

Since the quality of audit evidence is important, the standard or local authority that controls audit firms
required the audit firm to have the proper audit manual, policy, and procedures in place so that the firm
could maintain the quality of audit as well as the quality of audit evidence.

3.2

a)

Answer:

Three main benefits are

1- Increased sales
Implementing an effective QMS will improve customer satisfaction, through enhanced process
and customer service. In turn, this will lead to an improved sales performance.
2- Reduced cost
A successful QMS can reduce problems, waste and a significant amount of employee time.
Issues are identified sooner and access to relevant information is widely available. Ultimately,
this will reduce operational costs and improve efficiency.
3- Improved operating efficiencies
Introduction of a QMS into operating standards means better control of supplier input into the
production and service processes, thereby improving efficiency.

B)

Answer:
Followings are main disadvantages of overly documented system

 Lack of storage space. ...

 Security issues. ...
 Prone to damage. ...
 Document transportation. ...
 Editing problems. ...
 High costs. ...
 Limit communication and collaboration. ...
 Environmental damage.

c)

answer:

1- Documented information that must be retained (let us use the old term “records” to describe
them); and:
2- Documented information that must be maintained (let us use the old term “documents” to
describe them).

Documents of external origin relevant for the QMS can be, for example, Product Specifications,
Logistics Specifications, Material Safety Data Sheets, Legislation, Permits, Standards, Platform Rules,
or Work Instructions.

And

 Increased customization of documents required by customers. ...

 Difficulty keeping track of document revisions. ...
 Understanding where each document is in the process. ...
 The time-consuming and often clerical nature of documentation work. ...
 Customized datebooks.

3.3

a)

answer:

Some of the reasons to conduct such a review include:

 Ensuring the effective utilization of the organization’s human resources

 Reviewing compliance in relation to administration of the organization
 Instilling a sense of confidence in management and the human resources function
 Maintaining or enhancing the organization and the department’s reputation in the community
 Performing “due diligence” review for shareholders or potential investors/owners
 Establishing a baseline for future improvement for the function
b)

Answer:

Step one: identify the issue

This process begins by identifying when something doesn’t happen as expected. It could be a customer
complaint about bad service, or the identification of faulty packaging during an internal inspection.
These errors can be picked up in several ways, from staff logging their observations on a spreadsheet
through to internal audits and management reviews.

Once spotted, it needs to be recorded in a Non-Conformity Report or Corrective Action Report.

Within this report you must identify the impact of the non-conformity and who will be affected by it.

Step two: gather a response crew

Your next step is to gather together a team who can help to determine the root cause of the problem
and implement the corrective action. This will probably involve personnel at the top of your company,
but you will also need to include those who do the actual job.

Your team will need to be comfortable carrying out a comparative analysis.

This means that they will need to assess the following:

 What is different and unusual about the non-conformity, and what may have changed?
 How is the non-conformity linked to people, processes, machines, materials or the environment
of the business?
 What are the facts surrounding the possible cause?

Step three: finding the root cause

There are lots of different problem-solving techniques that can help you get to the bottom of a non-
conformity. You should use the one that you are most comfortable with.

If you’re unsure, one of the simplest is known as the ‘five whys’.

Using the example from the non-conformity log, the ‘whys’ would run as follows.

 First why: A delivery note had not been signed because a member of staff had released the
product without following the release and dispatch procedure.
 Second why: It was released without following the procedure because the staff member was
new.
 Third why: The new staff member did this because they had not had the relevant training.
 Fourth why: They did not receive the right training because there is not an adequate training
programmer in place.
 Fifth why: There isn’t adequate training because the training procedure is out of date.

Step four: taking corrective action

Whatever problem-solving tool you have used, you should now have a fairly good idea of what
permanent corrective action could be taken. A permanent corrective action means that it should stop
the non-conformity from happening again. This means you will probably have to change some aspect of
your processes, policies or procedures.

Section four