|
An audit is a systematic evidence gathering
process. Audits must be
independent and evidence must be evaluated objectively to
determine
how well audit criteria are being met. There are three
types of audits:
first-party, second-party, and third-party. First-party
audits are internal
audits while second and third party audits are external
audits.
Organizations use first party audits to audit
themselves. First party
audits are used to provide input for management review and
for other
internal purposes. They're also used to declare that an
organization
meets specified requirements (this is called a
self-declaration).
Second party audits are external audits. They’re
usually done by
customers or by others on their behalf. However, they can
also be
done by regulators or any other external party that has an
interest
in an organization. Third party audits
are external audits as well.
However, they’re performed by independent organizations such
as registrars (certification bodies) or regulators.
|
|
Audit criteria
are used as a reference point and include policies,
requirements, and other forms of documented information.
They are
compared against audit evidence to determine how well they
are being
met. Audit evidence is used to determine how well policies
are being
implemented and how well requirements are being followed.
|
|
Audit evidence includes records, factual
statements, and other verifiable
information that is related to the audit criteria being
used. Audit criteria
include policies, requirements, and other documented
information.
|
|
Audit findings result from a process that
evaluates audit evidence
and compares it against audit criteria. Audit findings
can show that
audit criteria are being met (conformity) or that they are
not being
met (nonconformity). They can also identify best practices
or
improvement opportunities.
|
|
An audit program (or programme) refers to a
set of one or more
audits that are planned and carried out within a specific
time
frame and are intended to achieve a specific audit purpose.
|
|
A characteristic is a distinctive feature
or property of something.
Characteristics can be inherent or assigned and can be
qualitative
or quantitative. An inherent characteristic exists in
something or is
a permanent feature of something while an assigned
characteristic
is a feature that is attributed or attached to something.
|
|
Competence means being able to apply
knowledge and skill to
achieve intended results. Being competent means
having the
knowledge and skill that you need and knowing how to apply
it. Being competent means that you’re qualified to do the
job.
|
|
Conformity is the "fulfillment of a
requirement". To conform means
to meet or comply with requirements and a requirement is a
need,
expectation, or obligation. There are many types of
requirements
including customer
requirements, quality
requirements, quality
management requirements, management requirements, product
requirements, service requirements, contractual
requirements,
statutory requirements, and regulatory requirements.
|
|
An organization’s context is its business
environment. It includes
all of the internal and external factors and conditions that
affect its
products and services, have an influence on its processes,
and are
relevant to its purpose and strategic direction.
An organization’s external context includes
all of the needs and
expectations of interested
parties, as well as its social, cultural,
legal, technological, regulatory, and competitive environment.
An organization’s internal context includes
its values, culture,
knowledge, and performance.
|
|
A correction is any action that is taken to
eliminate a nonconformity.
However, corrections do not address root causes. When
applied to
products, corrections can include reworking products,
reprocessing
them, regrading them, assigning them to a different use, or
simply
destroying them.
|
|
Corrective actions are steps that
are taken to eliminate
the causes of existing nonconformities in order to prevent
recurrence. The corrective action process tries to make
sure that existing nonconformities and potentially
undesirable situations don’t happen again.
|
|
Customer satisfaction is a perception. It's
also a question of degree.
It can vary from high satisfaction
to low satisfaction. If
customers
believe that you've met their requirements,
they experience high
satisfaction. If they believe that you've not met their
requirements,
they experience low satisfaction.
Since satisfaction is a perception, customers may not
be satisfied
even though you’ve met all contractual requirements. Just
because
you haven’t received any complaints doesn’t mean that
customers
are satisfied.
There are many ways to monitor and measure customer
satisfaction.
You can use customer
satisfaction and opinion surveys; you can
collect product quality data (post delivery), track warranty
claims,
examine dealer reports, study customer compliments and
criticisms, and analyze lost business opportunities.
|
|
A defect is a type of nonconformity. It
occurs when a product
or service fails to meet specified or intended use
requirements.
|
|
Design and development is a process (or a
set of processes) that uses
resources to transform general input requirements for an
object into
specific output requirements.
An object is any entity that is either
conceivable or perceivable. Objects
can be real or imaginary and could be material or
immaterial. Examples
include products, services, systems, organizations, people,
practices,
procedures, processes, plans, ideas, documents, records,
methods,
tools, machines, technologies, techniques, and resources.
|
|
The term documented
information refers to information that
must be controlled and maintained
and its supporting medium.
Documented information can be in any format and on any
medium
and can come from any source.
Documented information includes information
about the management
system and related processes. It also includes all the
information that
organizations need to operate and all the information that
they use
to document the results that they achieve (aka records).
|
|
Effectiveness refers to the degree to which
a planned effect is achieved.
Planned activities are effective if these activities are
actually carried out
and planned results are effective if these results are
actually achieved.
|
|
The term feedback is used to refer to a
comment or an opinion
expressed about a product or service or an interest
expressed
in a product or a service. It may also be used to refer to
the
customer complaints-handling process itself.
|
|
The term infrastructure refers to the
entire system of facilities,
equipment, and support services that organizations need in
order to function.
|
|
An interested party
is anyone who can affect, be affected by, or
believe that they are affected by a decision or activity. An
interested
party is a person, group, or organization that has an
interest or a
stake in a decision or activity.
|
|
The term management
refers to all the activities
that are used to
coordinate, direct, and control organizations. These
activities include
developing policies, setting objectives, and establishing
processes
to achieve these objectives. In this context, the term
management
does not refer to people. It refers to what managers do.
|
|
A management system is a set of
interrelated or interacting elements
that organizations use to formulate policies and objectives
and to
establish the processes that
are needed to ensure that policies
are
followed and objectives are achieved. These
elements include
structures, programs, procedures, practices,
plans, rules, roles,
responsibilities, relationships, contracts, agreements, documents,
records, methods, tools, techniques, technologies, and
resources.
There are many types of management systems.
Some of these include
quality management systems,
environmental management
systems,
financial management systems,
information security management
systems, business
continuity management
systems, emergency
management systems, disaster management systems, food safety
management systems, risk management systems, and
occupational
health and safety management systems.
The scope or focus of a management system
could be restricted to
a specific function or section of an organization or it
could include
the entire organization. It could even include a function
that cuts
across several organizations.
|
|
Measurement is a process that is used to
determine
a value. In most cases this value will be a quantity.
|
|
Measuring equipment
includes all the things needed to carry
out a measurement process. Accordingly, measuring equipment
includes instruments and apparatuses as well as all the
associated
software, standards, and reference materials.
|
|
To monitor means to determine the status of
an activity, process,
or system at different stages or at different times. In
order to determine
status, you need to supervise and to continually check and
critically
observe the activity, process, or system that is being
monitored.
|
|
Nonconformity is a nonfulfillment or failure
to meet a requirement.
A requirement is a need, expectation, or obligation. It can
be stated
or implied by an organization or interested parties.
|
|
An objective is a result you intend to
achieve. Objectives can be
strategic, tactical, or operational and can apply to an
organization
as a whole or to a system, process, project, product, or
service.
Objectives may also be referred to as targets, aims, goals,
or intended outcomes.
|
|
Objective audit evidence is information that
is verifiable and
generally consists of records and other statements of fact
that are relevant to the audit criteria being used.
|
|
Objective evidence is data that shows or
proves that something
exists or is true. Objective evidence can be
collected by performing
observations, measurements, tests, or using other suitable
methods.
|
|
An output is the result of a process. Outputs
can be either tangible
or intangible. The output from one process is often the
input for
another process.
|
|
When an organization makes an arrangement
with an outside
organization to perform part of a function or process,
it is referred
to as outsourcing. To outsource means to
ask an external organization
to perform part of a function or process normally done
inhouse.
|
|
According to ISO, the term performance
refers to a measurable result.
It refers to the measurable results
that activities, processes, products,
services, systems and organizations are able to achieve.
Whenever they
perform well it means
that acceptable results are being achieved and
whenever they perform poorly, unacceptable results
are achieved.
|
|
A process is a set of activities that are
interrelated or that interact
with one another. Processes
use resources to transform inputs
into outputs. Processes are interconnected because the
output
from one process often becomes the input for another
process.
While processes usually transform inputs
into outputs, this
is not always the case. Sometimes inputs become outputs
without transformation.
Organizational processes
should be planned and carried
out under controlled conditions. An effective process is one
that realizes planned activities and achieves planned
results.
|
|
The process approach is a management
strategy. When managers
use a process approach, it means that they manage
and control the
processes that make up their organization, the interaction
between
these processes, and the
inputs and outputs that tie these
processes together.
|
|
A product is a
tangible or intangible output that is the result of a
process that does not include activities that are performed
at the
interface between the supplier (provider) and the customer.
Products can be
tangible or intangible.
According to a note to
this definition, there are three generic product categories:
hardware,
processed materials, and software. Many products
combine several
of these categories. For example, an automobile (a product)
combines
hardware (e.g. tires), software (e.g. engine control
algorithms), and
processed materials (e.g. lubricants).
|
|
A requirement is a need, expectation, or
obligation. It can be stated or
implied by an organization, its customers,
or other interested parties.
A specified requirement is one that has been stated (in a
document for
example), whereas an implied requirement is a need,
expectation, or
obligation that is common practice or customary.
There are many types of requirements. Some of these
include customer
requirements, quality
requirements, quality management requirements,
management requirements, product requirements, service
requirements,
contractual requirements, statutory requirements, and
regulatory
requirements.
|
|
A review is an
activity. Its purpose is to figure out how well the thing
being reviewed is capable of achieving established
objectives. Reviews
ask the following question: is the subject (or object) of
the review a suitable,
adequate, effective, and efficient way of achieving
established objectives?
There are many kinds of reviews. Some of these
include management
reviews, design and development reviews, customer
requirement
reviews, nonconformity reviews, and peer reviews.
|
|
According to ISO 31000, risk is the “effect
of uncertainty on objectives”
and an effect is a positive or negative deviation
from what is expected.
The following two paragraphs will explain what this means.
This definition recognizes that all of us operate in
an uncertain world.
Whenever we try to achieve something, there’s always the
chance that
things will not go according to plan. Sometimes we get
positive results
and sometimes we get negative results and occasionally we
get both.
Because of this, we need to reduce uncertainty as much as
possible.
Uncertainty (or lack of certainty) is a
state or condition that involves
a deficiency of information and
leads to inadequate or incomplete
knowledge or understanding. In the context of risk
management,
uncertainty exists whenever the
knowledge or understanding of
an event, consequence, or likelihood is inadequate or
incomplete.
While this definition argues that risk can be
positive as well as
negative, a note acknowledges that "the term risk is
sometimes
used when there is only the possibility of negative
consequences".
|
|
Risk-based thinking
refers to a coordinated set of activities and
methods that organizations use to manage
and control the many
risks that affect its ability to achieve objectives. Risk-based
thinking
replaces what the old standards used to call preventive
action.
|
|
A service is an
intangible output and is the
result of a process
that includes at least one activity that is carried out at
the interface
between the supplier (provider) and the customer.
Service provision can take many forms. Service
can be provided
to support an organization’s own
products (e.g. warranty service
or the serving of meals). Conversely, it can be provided for
a product
supplied by
a customer (e.g. a repair service or a delivery
service).
It can also involve the provision of an intangible thing to
a customer
(e.g. entertainment, ambience, transportation, or advice).
|
|
A special
requirement is a requirement that may be especially
difficult to achieve. Special requirements may be
difficult to achieve
because they force you to operate at the limit of your
technical or
process capability or at the limit of your industry’s
capability.
Since there is a risk
that your organization may not be able to meet a
special requirement, you’re expected to include it in your
operational
risk management process. Either you or your customer may
decide
that a requirement is special. In order to figure out
whether or not
a requirement is special, consider the complexity and
maturity of
your product or process and your past experience.
|
|
A supplier is a
person or an organization that provides
products or
services. Suppliers can be either internal or
external to an organization.
Internal suppliers provide products or services to
people within their
own organization while external
suppliers provide products or
services to other organizations.
|
|
A system is
defined as a set of interrelated or interacting elements.
A management system is one type of system. It is a
set of interrelated
or interacting elements that organizations use to formulate
policies
and objectives and to establish the processes that are
needed to
ensure that policies are followed and objectives are
achieved.
|
|
Traceability is the ability to identify and
trace the history, distribution,
location, and application of
products, parts, materials, and services.
A traceability system records and follows the trail as
products, parts,
materials, and services come from suppliers and are
processed and
ultimately distributed as final products and services.
|
|
Validation is a process. It uses objective
evidence to confirm that the
requirements which define an intended use or application
have been
met. Whenever all requirements have been met, a validated
status is
established. Validation can be carried out under
realistic use
conditions or within a simulated use environment.
There are several ways to confirm that the
requirements which define
an intended use or application have been met. For example
you could
do tests, you could carry out alternative calculations, or
you could
examine documents before you issue them.
|
|
Verification is a process. It uses objective
evidence to confirm
that specified requirements have been met. Whenever
specified
requirements have been met, a verified status is achieved.
There are many ways to verify that requirements have
been met.
For example you could inspect something, you could do tests,
you could carry out alternative calculations, or you could
examine documents before you issue them.
|
