AUDIT

L-26
Audit
• An Audit is defined methodology carried out by a competent and
independent person to review the practice being followed .

• Audit tells us whether we are doing what we should be doing and

how well we are doing it .

• It is about quality and finding out if best practiced is being practiced

and records are maintained and updated as required .
Audit Survey

• 1) Audit always focuses on past activities • 1) Survey forecasts on future activities

and then detect the fault and propose the so that equipment continues to
corrective action. function for next survey.
• 2) Audit always focuses on system
• 2) Survey focuses on physical status of
operation, system procedure and
documentation. machinery or equipment.
• 3) Audit always looks only on the system. • 3) Survey looks on product.
• 4) Audit is focused on software items. • 4) Survey is focused on hardware
• 5) Audit of entire system is not possible as • 5) Survey of entire system is possible
it is done on sampling basis like like safety equipment survey, main
surveillance audit engine performance survey etc
• 6) For example an auditor will check
satisfactory repair of pump and will • 6) For example in a survey of fire
enquire, find and analyze as to when pump surveyor will check satisfactory
pump was last inspected, why deficiency repair of pump and noted deficiency
not found before survey etc. removed.
Types of Audit
• 1. First Party Audit
• 2. Second Party Audit
• 3.Third Party Audit
First party Audit
• A first-party audit is performed within an organization to measure its
strengths and weaknesses against its own procedures or methods
and/or against external standards adopted by (voluntary) or imposed
on (mandatory) the organization.
• A first-party audit is an internal audit conducted by auditors who are
employed by the organization being audited but who have no vested
interest in the audit results of the area being audited.
Second Party Audit
• A second-party audit is an external audit performed on a supplier by a
customer or by a contracted organization on behalf of a customer. A
contract is in place, and the goods or services are being, or will be,
delivered. Second-party audits are subject to the rules of contract law,
as they are providing contractual direction from the customer to the
supplier.
• Second-party audits tend to be more formal than first-party audits
because audit results could influence the customer’s purchasing
decisions.
• SIRE Inspection
Third Party Audit
• A third-party audit is performed by an audit organization independent
of the customer-supplier relationship and is free of any conflict of
interest. Independence of the audit organization is a key component
of a third-party audit.
• Third-party audits may result in certification, registration, recognition,
an award, license approval, a citation, a fine, or a penalty issued by
the third-party organization or an interested party.
• External ISM/ISPS Audits.
Performance versus compliance/conformance
audits
• Various authors use the following terms to describe an audit purpose beyond
compliance and conformance: value-added assessments, management audits,
added value auditing, and continual improvement assessment.
• The purpose of these audits goes beyond traditional compliance and conformance
audits. The audit purpose relates to organization performance.
• Audits that determine compliance and conformance are not focused on good or
poor performance. Yet performance is an important concern for most organizations.

• A key difference between compliance/conformance audits and audits designed to

promote improvement is the collection of audit evidence related to organization
performance versus evidence to verify conformance or compliance to a standard or
procedure.
Follow-up audit
• A product, process, or system audit may have findings that require correction
and corrective action.
• Since most corrective actions cannot be performed at the time of the audit, the
audit program manager may require a follow-up audit to verify that corrections
were made and corrective actions were taken.
• Due to the high cost of a single-purpose follow-up audit, it is normally combined
with the next scheduled audit of the area. However, this decision should be
based on the importance and risk of the finding.
• An organization may also conduct follow-up audits to verify preventive actions
were taken as a result of performance issues that may be reported as
opportunities for improvement. Other times organizations may forward
identified performance issues to management for follow-up.
Audit -Phases
• Audit preparation –
• Audit preparation consists of everything that is done in
advance by interested parties, such as the auditor, the lead
auditor, the client, and the audit program manager, to ensure
that the audit complies with the client’s objective.
• The preparation stage of an audit begins with the decision to
conduct the audit.
• Preparation ends when the audit itself begins.
Audit -Phases
• Audit performance –
• The performance phase of an audit is often called the
fieldwork. It is the data-gathering portion of the audit and
covers the time period from arrival at the audit location up
to the exit meeting. It consists of activities including on-site
audit management, meeting with the auditee, understanding
the process and system controls and verifying that these
controls work, communicating among team members, and
communicating with the auditee.
Audit -Phases
• The audit should start with an opening meeting in order to introduce the audit
team to the Company's senior management, summarize the methods for
conducting the audit, confirm that all agreed facilities are available, confirm time
and date for a closing meeting and clarify possible unclear details relevant to the
audit.
• The audit team should assess the SMS on the basis of the documentation
presented by the Company and objective evidence as to its effective
implementation.
• Evidence should be collected through interviews and examination of documents.
Observation of activities and conditions may also be included when necessary to
determine the effectiveness of the SMS in meeting the specific standards of
safety and protection of the environment required by the ISM Code.
Audit- Phases
• Audit observations should be documented. After activities have been
audited, the audit team should review their observations to determine
which are to be reported as non conformities. Non conformities should be
reported in terms of the general and specific provisions of the ISM Code.

• At the end of the audit, prior to preparing the audit report, the audit team
should hold a meeting with the senior management of the Company and
those responsible for the functions concerned. The purpose is to present
the observations to ensure that the results of the audit are clearly
understood.
•
Audit -Phases
• Audit reporting –
• The purpose of the audit report is to communicate the
results of the investigation. The report should provide
correct and clear data that will be effective as a management
aid in addressing important organizational issues. The audit
process may end when the report is issued by the lead
auditor or after follow-up actions are completed.
Audit -Phases
• Audit follow-up and closure –
• According to ISO 19011, clause 6.6, “The audit is completed
when all the planned audit activities have been carried out,
or otherwise agreed with the audit client.” Clause 6.7 of ISO
19011 continues by stating that verification of follow-up
actions may be part of a subsequent audit.
Observation
• “Observation" means a statement of fact made during a Safety
Management Audit and substantiated by objective evidence.

• "Objective evidence" means quantitative or qualitative information,

records or statements of fact pertaining to safety or to the existence
and implementation of a SMS element, which is based on
observation, measurement or test and which can be verified.
Observation
• Ship’s SMS requires that certain critical spares need to be on board all the time.
Ship’s SMS also require that charts and publications need to be kept update and
maintained in good condition.

• The observation on this can be

• Two A/E critical spare parts were not on board as these were recently consumed.
The requisition for same was in place.
• One of the chart was torn at the end and was found with a tape
• Both of these are observations because the ship is complying with the requirement
of SMS. But if these situations are not corrected, it may lead to a non-conformity.
NON- CONFORMITY:-
• A non conformity means an observed situation where objective evidence
indicates the non fulfillment of a specified requirement of the ISM code.
• When an NC is found, agreement must be reached with the management
of the department concerned that the perceived NC exists. Certificate can be
issued or endorsed provided suitable corrective action and appropriate time
scale (not exceeding 3 months) is agreed.
• Closure of an NC does not require a revisit by auditor.
• Written notification of completion of corrective action accompanied where
possible with objective evidence must be forwarded.
• An NC which is not corrected with the stipulated time frame may be
upgraded to a major NC and result in invalidation of certificate.
NON- CONFORMITY:-
• Non-conformity means an observed situation where objective evidence indicates the
non-fulfilment of a specified requirement.
• This is different from an observation because in this case a specific requirement of the
ISM code was not met.
• In the example we discussed under “Observation”, “non-conformity” will be

• Two A/E critical spare parts were not on board as these were recently consumed. The
requisition for same was not in place.
• On random checking, one permanent correction on one of the voyage chart was missing.
• The SMS requires that minimum inventory of the critical spares need to be maintained
at all times. In this case as the requirement under Section 10 of the ISM code
(maintenance of ship and equipments) were not met.
MAJOR NON- CONFORMITY:-
• A major non-conformity means an identification deviation which
poses a serious threat to the safety of personnel or the ship or a
serious risk to the environment and requires immediate corrective
action.
• Eg: Contingency plans for various emergencies were not updated and
ready
• The new definition added to major NC after July 2010 is “ major NC
now also makes clear that this can be lack of effective and systematic
implementation of requirement of this ISM code.”
MAJOR NON- CONFORMITY:-
• When a major NC is raised, corrective action must be implemented
before a new certificate can be issued or before existing certificate is
endorsed at an annual DOC or intermediate SMC verification.
• RO may ask to the company for immediate corrective action to at
least downgrade the major NC to an NC as early as possible.
• After verification of corrective action by auditor a short term DOC or
SMC valid for 3 months can be issued.
MAJOR NON- CONFORMITY:-
• Corrective action for the NC and the time frame for the same can be
then agreed.
• Also, a significant number of NCs identified against the same section
of the ISM code may be issued as a single major NC.
• All major NCs including those that are downgraded before the
completion of the audit are to be reported to the flag state/
company/ master in writing.
MAJOR NON- CONFORMITY:-
• A major non-conformity can be because of one single major deficiency or incident.
Or it can be because of number of small deficiencies from one area.
• For example, a single deficiency on Marpol equipments or Life saving appliances
can be a major non conformity.
• Also a number of small deficiencies on record keeping can be considered as a major
non conformity.
• If I have to differentiate between a Minor Non conformity and a major non
conformity, I will do that with one point.
• A minor non conformity may be an error, something someone forgot to do or a
non-compliance on a single instance.
• A major non compliance is a system failure. It just indicates that the SMS is not
effectively implemented.
MAJOR NON- CONFORMITY:-
• Few quick points about handling major conformities

• Ship’s cannot sail with a major non-conformity. Ship can only sail once it has been
downgraded to a minor non conformity
• A major non conformity will be downgraded once flag is satisfied that the effective
corrective actions are being taken
• Corrective actions to close this non conformity need to be completed in less than
three months
• If the nature of major non conformity is very serious, the Safety management
certificate of the ship may be withdrawn. In this case even the interim Safety
management certificate will not be issued. Ship need to go through the initial
process of obtaining the SMC which would include initial verification of the SMS.
DEFICIENCY AND NON CONFORMITY
• "Deficiency" means a defect in, or a failure in the operation of, a part of the
ship’s structure or its machinery, equipment, fittings, or a failure in the
documentation.
• “Non-conformity” means an observed situation where objective evidence
indicates the non‐fulfilment of a specified requirement.
• A deficiency is awarded when there is non fulfilment of any STATUTORY
SURVEY / REQUIREMENTS. initial annual intermediate renewal even PSC eg
items pertaining to any statutory certificates SEQ SAFCON SRT or any codes.
• Non conformity are terms used exclusively for AUDITS let it be ISM or
ISPS .... During audits NON CONFORMITY are issued during SURVEY
deficiencies
Corrective Action
• Symptom is observed or communicated. The symptom must be quantified through the
application of five questions, or 5Q, and confirmed as a true symptom, worthy of defining
further.
• (What, Why, Where, When and How)
• Problem Statement is created by using the 5 Why approach, driving as deep into the problem
as data will permit.
• Problem Description is written based on further investigation of the What, Where, When and
How Big data collected.
• Theories are developed on remaining possible causes.
• Root cause is verified by turning it on or off at will.
• Permanent Corrective Actions are determined for root cause and inspection process (which
also failed to stop the cause from escaping).
• Implementation and Validation of the Corrective Action.
Preventive Action
• Capture the Problem Statement as an Object-Defect for searchable databases.
• Link root causes to the Problem Statement with the Permanent Corrective Action.
• Identify other systems, facilities and processes which could benefit from the
knowledge captured.
• Assure Systems Documents are updated, including but not limited to:
• Failure Mode and Effects Analysis (FMEA)
• Control Plan Methodology
• Work Instructions
• Archive information for future retrieval including supporting information.
• Publish and close-out team experience.
EXTENSION OF SMC:-
• When an extension of SMC is requested for, same can be done if a
ship, at a time when SMC expires is not in port in which it is to be
verified.
• Then period by validity of the SMC may be extended. But the
extension period cannot exceed 3 months.
• A ship to which extension is granted should not by virtue of such
extension be allowed to leave port without a new SMC.
• When the renewal verification is completed the new SMC is valid to a
date not exceeding 5 years from the expiry date of the existing SMC,
before the extension was granted.
REVISION OF AN ENTRY IN A
CERTIFICATE:-
• When the particulars, such as ship’s name, company’s name or
address mentioned in the SMC or DOC are changed, an additional
audit to rewrite the SMC or DOC is required.
INVALIDATION OF SMC:-
• An SMC will be invalidated when
• 1) A company has not undergone an internal audit of ship annually.
• 2) There is evidence of major NC.
• 3) Corrective actions for NCs are not completed within agreed period of time.
• 4) Amendments in Ism code are not taken into account by the company.
• 5) DOC of the company is invalidated.
• 6) A ship is not maintaining class or the classification society is not authorized by the
administration.
• 7) Absence of adequate manning as per safe manning document unless the master is
in possession of a valid exemption from administration.
• 8) If a ship’s flag is changed or its company is changed.
INVALIDATION OF DOC:
• 1) Corrective action for NC is not taken within agreed time period.
• 2) Company is not audited annually or has not requested for audit.
• 3) Applicable amendments to ISM code has not been taken into
account.
• 4) There is an evidence of an unresolved major NC.
• 5) Cancellation is requested by DOC holder.
• 6) Company’s name and address is changed or company no longer
exists.
SMC
DOC
Audit Report
• An audit report is basically a four step process comprising of:
• What is wrong?
• Disclosure of findings and processess involved in arriving at such finding.
• Why is it wrong?
• Description of findings Description of findings-the root cause analysis. the
root cause analysis.
• How to correct it?
• Recommendations and Suggestions.
• What will be done?
• Auditee's views and comments.
Audit Report
• Disclose findings:
• Present findings both favourable and unfavorable in a concise
manner so th and unfavorable in a concise manner so that the auditee
is apprised of the situation in an operation / segment.
Audit Report
• Description of findings:
• Adverse findings should be described in detail.
• It could be internal control weakness, gaps, violations of procedures
or any other audit concern.
• Each finding must be provable.
• Auditor beliefs, without proper documentation will not be carried to
the report.
Auditee’s Comments:
• The auditee may wish to provide clarifications on any of the issues
reported or state the constraints or mitigating circumstances or what
corrective action the auditee has initiated or proposes to initiate.
Audit report communication
• Discussion Draft: At the conclusion of fieldwork, the auditor should
draft the report and present it to the entity’s management for audit
and present it to the entity’s management for auditee’s auditee’s
comments. ee’s comments.
• Exit Meeting: The auditor should discuss with the management the
findings, observations, recommendations, and text of draft and obtain
their comment on the draft, achieve consensus and reach an
agreement on the audit findings.
Audit report communication
• Formal Draft: The auditor should prepare a formal d ormal Draft: The
auditor should prepare a formal draft, in view of the outcome of aft,
in view of the outcome of the exit meeting and other discussions.
Upon review of such changes by the auditor and the management,
the final report should be issued.
• Final Report: The report should be submitted to the appointing
authority or such members of management, as directed
Addressee of report:
• The Final Report should always be addressed to a person one level
above the auditee or as mandated by the appointing authority.
• The additional copies or CC may be marked to persons in the
distribution list as finalized at the time of engagement or as mandated
by the appointing authority.
• Draft reports may be addressed directly to the auditee auditee level
for tee level for obtaining their response.
Confidentiality:
• Hard copies: The report should be marked strictly c strictly
confidential, and onfidential, and should be circulated in sealed
envelopes, only to the persons mentioned in the distribution list.
• Soft copies: To ensure transparency and visibility, a single mail should
preferably be sent with CC to persons in distribution list, instead of
sending individual mails to each such recipient.