An audit is a systematic evidence gathering
process. Audits must be
independent and evidence must be evaluated objectively to
how well audit criteria are being met. There are three
types of audits:
first-party, second-party, and third-party. First-party
audits are internal
audits while second and third party audits are external
Organizations use first party audits to audit
themselves. First party
audits are used to provide input for management review and
internal purposes. They're also used to declare that an
meets specified requirements (this is called a
Second party audits are external audits. They’re
usually done by
customers or by others on their behalf. However, they can
done by regulators or any other external party that has an
in an organization. Third party audits
are external audits as well.
However, they’re performed by independent organizations such
as registrars (certification bodies) or regulators.
are used as a reference point and include policies,
requirements, and other forms of documented information.
compared against audit evidence to determine how well they
met. Audit evidence is used to determine how well policies
implemented and how well requirements are being followed.
Audit evidence includes records, factual
statements, and other verifiable
information that is related to the audit criteria being
used. Audit criteria
include policies, requirements, and other documented
Audit findings result from a process that
evaluates audit evidence
and compares it against audit criteria. Audit findings
can show that
audit criteria are being met (conformity) or that they are
met (nonconformity). They can also identify best practices
An audit program (or programme) refers to a
set of one or more
audits that are planned and carried out within a specific
frame and are intended to achieve a specific audit purpose.
A characteristic is a distinctive feature
or property of something.
Characteristics can be inherent or assigned and can be
or quantitative. An inherent characteristic exists in
something or is
a permanent feature of something while an assigned
is a feature that is attributed or attached to something.
Competence means being able to apply
knowledge and skill to
achieve intended results. Being competent means
knowledge and skill that you need and knowing how to apply
it. Being competent means that you’re qualified to do the
Conformity is the "fulfillment of a
requirement". To conform means
to meet or comply with requirements and a requirement is a
expectation, or obligation. There are many types of
management requirements, management requirements, product
requirements, service requirements, contractual
statutory requirements, and regulatory requirements.
An organization’s context is its business
environment. It includes
all of the internal and external factors and conditions that
products and services, have an influence on its processes,
relevant to its purpose and strategic direction.
An organization’s external context includes
all of the needs and
expectations of interested
parties, as well as its social, cultural,
legal, technological, regulatory, and competitive environment.
An organization’s internal context includes
its values, culture,
knowledge, and performance.
A correction is any action that is taken to
eliminate a nonconformity.
However, corrections do not address root causes. When
products, corrections can include reworking products,
them, regrading them, assigning them to a different use, or
Corrective actions are steps that
are taken to eliminate
the causes of existing nonconformities in order to prevent
recurrence. The corrective action process tries to make
sure that existing nonconformities and potentially
undesirable situations don’t happen again.
Customer satisfaction is a perception. It's
also a question of degree.
It can vary from high satisfaction
to low satisfaction. If
believe that you've met their requirements,
they experience high
satisfaction. If they believe that you've not met their
they experience low satisfaction.
Since satisfaction is a perception, customers may not
even though you’ve met all contractual requirements. Just
you haven’t received any complaints doesn’t mean that
There are many ways to monitor and measure customer
You can use customer
satisfaction and opinion surveys; you can
collect product quality data (post delivery), track warranty
examine dealer reports, study customer compliments and
criticisms, and analyze lost business opportunities.
A defect is a type of nonconformity. It
occurs when a product
or service fails to meet specified or intended use
Design and development is a process (or a
set of processes) that uses
resources to transform general input requirements for an
specific output requirements.
An object is any entity that is either
conceivable or perceivable. Objects
can be real or imaginary and could be material or
include products, services, systems, organizations, people,
procedures, processes, plans, ideas, documents, records,
tools, machines, technologies, techniques, and resources.
The term documented
information refers to information that
must be controlled and maintained
and its supporting medium.
Documented information can be in any format and on any
and can come from any source.
Documented information includes information
about the management
system and related processes. It also includes all the
organizations need to operate and all the information that
to document the results that they achieve (aka records).
Effectiveness refers to the degree to which
a planned effect is achieved.
Planned activities are effective if these activities are
actually carried out
and planned results are effective if these results are
The term feedback is used to refer to a
comment or an opinion
expressed about a product or service or an interest
in a product or a service. It may also be used to refer to
customer complaints-handling process itself.
The term infrastructure refers to the
entire system of facilities,
equipment, and support services that organizations need in
order to function.
An interested party
is anyone who can affect, be affected by, or
believe that they are affected by a decision or activity. An
party is a person, group, or organization that has an
interest or a
stake in a decision or activity.
The term management
refers to all the activities
that are used to
coordinate, direct, and control organizations. These
developing policies, setting objectives, and establishing
to achieve these objectives. In this context, the term
does not refer to people. It refers to what managers do.
A management system is a set of
interrelated or interacting elements
that organizations use to formulate policies and objectives
establish the processes that
are needed to ensure that policies
followed and objectives are achieved. These
structures, programs, procedures, practices,
plans, rules, roles,
responsibilities, relationships, contracts, agreements, documents,
records, methods, tools, techniques, technologies, and
There are many types of management systems.
Some of these include
quality management systems,
financial management systems,
information security management
management systems, disaster management systems, food safety
management systems, risk management systems, and
health and safety management systems.
The scope or focus of a management system
could be restricted to
a specific function or section of an organization or it
the entire organization. It could even include a function
across several organizations.
Measurement is a process that is used to
a value. In most cases this value will be a quantity.
includes all the things needed to carry
out a measurement process. Accordingly, measuring equipment
includes instruments and apparatuses as well as all the
software, standards, and reference materials.
To monitor means to determine the status of
an activity, process,
or system at different stages or at different times. In
order to determine
status, you need to supervise and to continually check and
observe the activity, process, or system that is being
Nonconformity is a nonfulfillment or failure
to meet a requirement.
A requirement is a need, expectation, or obligation. It can
or implied by an organization or interested parties.
An objective is a result you intend to
achieve. Objectives can be
strategic, tactical, or operational and can apply to an
as a whole or to a system, process, project, product, or
Objectives may also be referred to as targets, aims, goals,
or intended outcomes.
Objective audit evidence is information that
is verifiable and
generally consists of records and other statements of fact
that are relevant to the audit criteria being used.
Objective evidence is data that shows or
proves that something
exists or is true. Objective evidence can be
collected by performing
observations, measurements, tests, or using other suitable
An output is the result of a process. Outputs
can be either tangible
or intangible. The output from one process is often the
When an organization makes an arrangement
with an outside
organization to perform part of a function or process,
it is referred
to as outsourcing. To outsource means to
ask an external organization
to perform part of a function or process normally done
According to ISO, the term performance
refers to a measurable result.
It refers to the measurable results
that activities, processes, products,
services, systems and organizations are able to achieve.
perform well it means
that acceptable results are being achieved and
whenever they perform poorly, unacceptable results
A process is a set of activities that are
interrelated or that interact
with one another. Processes
use resources to transform inputs
into outputs. Processes are interconnected because the
from one process often becomes the input for another
While processes usually transform inputs
into outputs, this
is not always the case. Sometimes inputs become outputs
should be planned and carried
out under controlled conditions. An effective process is one
that realizes planned activities and achieves planned
The process approach is a management
strategy. When managers
use a process approach, it means that they manage
and control the
processes that make up their organization, the interaction
these processes, and the
inputs and outputs that tie these
A product is a
tangible or intangible output that is the result of a
process that does not include activities that are performed
interface between the supplier (provider) and the customer.
Products can be
tangible or intangible.
According to a note to
this definition, there are three generic product categories:
processed materials, and software. Many products
of these categories. For example, an automobile (a product)
hardware (e.g. tires), software (e.g. engine control
processed materials (e.g. lubricants).
A requirement is a need, expectation, or
obligation. It can be stated or
implied by an organization, its customers,
or other interested parties.
A specified requirement is one that has been stated (in a
example), whereas an implied requirement is a need,
obligation that is common practice or customary.
There are many types of requirements. Some of these
requirements, quality management requirements,
management requirements, product requirements, service
contractual requirements, statutory requirements, and
A review is an
activity. Its purpose is to figure out how well the thing
being reviewed is capable of achieving established
ask the following question: is the subject (or object) of
the review a suitable,
adequate, effective, and efficient way of achieving
There are many kinds of reviews. Some of these
reviews, design and development reviews, customer
reviews, nonconformity reviews, and peer reviews.
According to ISO 31000, risk is the “effect
of uncertainty on objectives”
and an effect is a positive or negative deviation
from what is expected.
The following two paragraphs will explain what this means.
This definition recognizes that all of us operate in
an uncertain world.
Whenever we try to achieve something, there’s always the
things will not go according to plan. Sometimes we get
and sometimes we get negative results and occasionally we
Because of this, we need to reduce uncertainty as much as
Uncertainty (or lack of certainty) is a
state or condition that involves
a deficiency of information and
leads to inadequate or incomplete
knowledge or understanding. In the context of risk
uncertainty exists whenever the
knowledge or understanding of
an event, consequence, or likelihood is inadequate or
While this definition argues that risk can be
positive as well as
negative, a note acknowledges that "the term risk is
used when there is only the possibility of negative
refers to a coordinated set of activities and
methods that organizations use to manage
and control the many
risks that affect its ability to achieve objectives. Risk-based
replaces what the old standards used to call preventive
A service is an
intangible output and is the
result of a process
that includes at least one activity that is carried out at
between the supplier (provider) and the customer.
Service provision can take many forms. Service
can be provided
to support an organization’s own
products (e.g. warranty service
or the serving of meals). Conversely, it can be provided for
a customer (e.g. a repair service or a delivery
It can also involve the provision of an intangible thing to
(e.g. entertainment, ambience, transportation, or advice).
requirement is a requirement that may be especially
difficult to achieve. Special requirements may be
difficult to achieve
because they force you to operate at the limit of your
process capability or at the limit of your industry’s
Since there is a risk
that your organization may not be able to meet a
special requirement, you’re expected to include it in your
risk management process. Either you or your customer may
that a requirement is special. In order to figure out
whether or not
a requirement is special, consider the complexity and
your product or process and your past experience.
A supplier is a
person or an organization that provides
services. Suppliers can be either internal or
external to an organization.
Internal suppliers provide products or services to
people within their
own organization while external
suppliers provide products or
services to other organizations.
A system is
defined as a set of interrelated or interacting elements.
A management system is one type of system. It is a
set of interrelated
or interacting elements that organizations use to formulate
and objectives and to establish the processes that are
ensure that policies are followed and objectives are
Traceability is the ability to identify and
trace the history, distribution,
location, and application of
products, parts, materials, and services.
A traceability system records and follows the trail as
materials, and services come from suppliers and are
ultimately distributed as final products and services.
Validation is a process. It uses objective
evidence to confirm that the
requirements which define an intended use or application
met. Whenever all requirements have been met, a validated
established. Validation can be carried out under
conditions or within a simulated use environment.
There are several ways to confirm that the
requirements which define
an intended use or application have been met. For example
do tests, you could carry out alternative calculations, or
examine documents before you issue them.
Verification is a process. It uses objective
evidence to confirm
that specified requirements have been met. Whenever
requirements have been met, a verified status is achieved.
There are many ways to verify that requirements have
For example you could inspect something, you could do tests,
you could carry out alternative calculations, or you could
examine documents before you issue them.