Audit Timeline

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing


What is the ASQ recommended time frame between an auditee receiving a final audit plan and the audit commencing at the auditee’s site?


From Charlie Cianfrani:

ASQ does not have a recommendation!

From George Hummel:

This is not an ASQ requirement.  A CB generally sends an audit schedule/plan three weeks before the audit.

From Jim Werner:

Typically, the final audit plan has been agreed to by both the auditor and the auditee and it includes the date(s) the audit is to take place. This means that the audit plan includes the audit schedule in one document.  There are many books written, with examples, on this topic.  The ASQ Audit Division is a good source.

ISO 17025 and Business Changes

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratoriesQuestion

My organization has just been recently accredited to ISO/IEC 17025:2005. Shortly thereafter, changes were made to the organization’s structure and business operations.  I would like to know:

1) When should these changes be reflected in the Quality Manual?

2) Do I need to advise the local registrar about the changes?

3) Are these changes time-sensitive that need to be reported to the certifying body to maintain certification or, should I just wait for the next surveillance audit coming in about six (6) months?


Thank you for your question.  Updates to your Quality Management System and Quality Manual should be made as soon as they are implemented.  I would suggest notifying your CB of the changes now and let them plan for auditing these changes.  They will likely want to roll that into your next surveillance and not make a special visit.  That decision, of course, would be up to them.


Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951

Internal Audits

Reporting, best practices, non-compliance reporting


If 2nd or 3rd party performs full system audit on my QMS, can it be used as to satisfy requirement for Internal Audit of that year?


Thank you for sending your question to ASQ’s Ask The Experts program.

My first response to your question would simply be, no you cannot use a 2nd or 3rd party audit to satisfy the requirement for Internal Audits.

The thing to consider is, who will the final Audit Report go to? That is, who is the customer?  An Internal Audit is conducted to your QMS and to your criteria. The final report would generally be directed to senior management.

A second or third party audit is most often performed by a customer or by a registrar. They would be guided by different criteria. A customer audit would not be of your entire QMS or give evidence of its overall efficacy. It would be inspired by what would be pertinent to the product or service you provide to them. A registrar audit would be to verify your facility’s compliance to standards but not necessarily the entire QMS.

You can see how this would be leading down a path one wouldn’t want to follow.  Therefore, Internal Audits should remain . . . internal.

Bud Salsbury, CQT, CQI


Internal Audits

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing


Can the Management Representative be part of the internal auditor team?


Thank you for contacting ASQ’s Ask the Experts program.  Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work.  So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard.   ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,


Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891

Find more information about auditing here.

Auditor’s Responsibilities

Root cause analysis figure


Is it an auditor’s responsibility to seek the “root cause” while conducting an audit?


An auditor should not seek the root cause for an audit finding. An auditor’s responsibility is to verify compliance with a requirement (e.g. ISO 9001 standard) and determine if there is compliance with the requirement or not. In doing so, there is objectivity in making that assessment.

If an auditor determines the root cause, it introduces subjectivity and potential conflict of interest to the audit process and in correcting an issue. In addition, the auditor may not have the full information about the issue thus the “root cause determined by the auditor” may not correct the non-compliance to the requirement.

Best Regards,


Dilip A. Shah ASQ Fellow, ASQ-CQE, CQA, CCT,
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services
Past Chair, ASQ Measurement Quality Division (2012-2013)
Past Member of the A2LA Board of Directors (2006-2014)
Tel: 330-328-4400
Fax: 1-888-226-9533

Postponement of Surveillance Audit Due to Force Majeure Event

Force majeure


If a Force Majeure event effects the company during the time that the annual Surveillance Audit was to be done, can the Surveillance Audit be postponed until after the conclusion of the Force Majeure period without losing ISO 9001 certification?  Will the impact be 1.) Merely a certificate lapse rectified with passing the re-scheduled Surveillance Audit loss, 2.) Loss of certification requiring the next audit to be a Certification Audit instead of a Surveillance Audit, or 3.) Is it up to the Registrar? In this case, assume the Surveillance schedule delay is only 3 months or less, and the company has an excellent ISO audit track record. Thank you.


Thanks for Contacting ASQ’s Ask the Experts program.  With regard to the frequency of surveillance audits as well as deferral of an audit as a result of force majeure, it’s important know that all reputable Registrars or certification bodies (CBs) are accredited by an accreditation body (AB) as such ANAB.  This is intended to ensure a consistent approach for issuance of certifications by CBs.  To maintain certification the CB may conduct periodic surveillance audits.  Registered or certified organizations must be re-certified every 3 years or prior to the expiration date listed on their certification certificate.

Surveillance audits are conducted by the Registrar to verify the organization’s continued implementation as well as the improvement of the effectiveness of their QMS.  Registrars may increase or decrease the frequency of surveillance audits based upon the maturity level of the organization’s QMS.  For this reason, the frequencies that surveillance audits are conducted may vary, but are usually scheduled annually or every 12 months.  Other situations that may affect actual frequency of surveillance audits may be the availability of Auditors or possibly, unusual situations being experienced by the Auditee or organization.

As already mentioned, re-certification audits are required to be conducted every 3 years.  A Registrar typically does not have the authority to extend any organization’s ISO 9001 certification beyond the expiration date as shown on the certification certificate.  I would suggest that the certification contract agreement between your organization and the Registrar be reviewed to determine how conditions of force majeure are to be addressed.  This review should be followed up with a discussion with the Registrar to ensure there will be no impact on your organization’s existing QMS certification.  For more information about surveillance audits and other information regarding certification bodies (CBs) review IAF guidance document “Application of ISO/IEC Guide 65:1996, Issue 3 (IAF GD 2006).  A copy of this document can be downloaded at

I hope this helps.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX  77339

The Role of an Observer During an Audit

Audit, audit by exception


A customer of ours wants to participate as an observer in an upcoming audit. I’ve not been able to find much information about the role of observer – what they can and cannot do.

For instance, I assume that they cannot ask questions during the audit interview process. Does anyone have an appropriate checklist for an observation – list of dos and don’ts?


The auditors should be notified of a presence of the observer in advance. There are times where this may not be allowed depending on the type of the audit.

The customer should sign a confidentiality agreement on not disclosing any information outside the audit process. The rules should be established as part of this confidentiality agreement.

An observer (customer) may not engage in any part of the audit.

The observer may not interfere in any aspect of the audit (may not inject, provide opinions, argue a finding, speak for or against a finding, use the audit information for a future punitive measure).

If questioned during the audit, the observer should explain the role as observer. Ideally this should be brought to the attention of the auditor in advance.

These basic rules ensure that the audit is not compromised in any way and the customer’s request to witness the audit is conducted in a professional manner.

Dilip A Shah
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

Employee Qualification Audit


Reviewing confidential files, training records, human resources files


I am a Quality Assurance GxP Auditor and I am being told that I cannot perform employee qualification audit.  I am being told that CV/resumes, job descriptions, and training records are confidential and my viewing them would violate an employee’s privacy.  If this is true, how to I prove to my client that the company has qualified personnel?

On the same note, is this also true of an internal or 1st party employee qualification audit where my own company would want me to verify the qualifications of our employees to ensure they meet international FDA/ICH guidelines?


Thanks for contacting ASQ’s Ask the Experts program.

With regard to your question, maintaining confidentiality can be a major concern for the employee, organization and the Auditor.  For this reason, the review of employee files containing private data such as social security numbers, banking, personal contact or other sensitive information should be avoided if possible.

This not only maintains employee privacy, but also reduces the Auditor’s level of exposure to potential liabilities.

So now the question is; how can the Auditor verify employee qualifications and experience? Remember that there is no requirement for an Auditor to review job applications, CV/resumes, or other confidential information.

It’s the organization’s responsibility provide the Auditor with objective evidence that they have established job descriptions for employees performing work activities that affect the quality of the product or services to be provided to the customer (ISO 9001:2008, clause 6.2.1).  This includes providing evidence that the employee’s qualifications, skills, education and any applicable certifications have been verified to meet job description requirements or the need for training has been established to ensure job description requirements are met (ISO 9001:2008, clause 6.2.2, sub., a. b and c).

As you are aware, a job description may be considered as proprietary, but they are seldom considered as private since they don’t contain any personal information.  Some organization’s may require that a nondisclosure agreement (NDA) be signed to protect propriety information such as engineering data, drawings or other methods related to product realization processes.

A record of an organization’s review and verification of employee qualifications should be readily available.  Likewise, training and applicable certification records should be available to provide objective evidence that qualification and/or competency requirements have been met (ISO 9001:2008, clause 6.2.2, sub., e).

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX

AS9100 Audit

Training, completed training, competance


I have recently started work at a company that is registered to AS9100. My previous employer was registered to ISO 9001 and I was trained as an internal auditor.

What additional training is required to audit to AS9100? (other than learning the standard).

Does my previous training in internal quality auditing qualify me to audit to the AS9100 standard?

Are the standards for auditor different for AS9100 than ISO 9001?


The ISO 9001 and AS9100 requirement for internal auditors are the same; that the auditor be competent. The organization determines the competence requirements for its internal auditors. Typically, the competence includes both knowledge of the standard and internal audit methodology.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

Additional ASQ Resources

AS9100 Keeps Bosch Communications Flying High in Aerospace Industry
by Janet Jacobsen
Abstract: In 2006, the Bosch Corporation acquired Minnesota-based Telex Communications, Inc., a supplier to the aerospace industry. This business became known as Bosch Communications Systems. Boeing, a key customer for Bosch Communications’ aviation headsets, issued a requirement for all suppliers to become certified to AS9100, the international quality management system standard for the aerospace industry. To satisfy Boeing’s requirement, Bosch Communications launched an ambitious initiative to achieve dual AS9100/ISO 9001 certification in less than one year. Bosch contracted with ASQ to provide AS9100 lead auditor and internal auditor training to educate a cross-functional team about the standard and prepare them for the auditing process. In October 2008, just 11 months after launching its certification effort, Bosch earned both AS9100 and ISO 9001 certification.

Road to Revision- The path ahead for updating the AS9100 series of standards
by Buddy Cressionnie
Abstract: The flagship aviation, space and defense quality management system (QMS) standard has started revision activities. AS9100—Quality management systems—requirements for aviation, space and defense organizations is the foundation standard of the International Aerospace Quality Group (IAQG).

The AS9100C, AS9110, and AS9120 Handbook (ebook)
by James Culliton
Abstract: AS9100, AS9110, and AS9120, the quality management system (QMS) standards for the aerospace industry, are written in the most ambiguous language possible. Indeed, they don’t outline how they should be implemented. Those decisions are left to the organization implementing their requirements or, in some cases, to a consultant.

Although some consultant firms for aerospace systems are excellent, there are many that purport to be experts yet proffer systems and processes that are either in contravention to the standards’ requirements or so unwieldy that they render the process impotent.

In an effort to simplify these issues, this book proposes practices that have been described as opportunities for improvement or best practices by registration auditors in the past. It includes a discussion of each of the three standards’ clauses, suggests best practices to comply with them, outlines common findings associated with them, and provides an overview of the changes to AS9100C from AS9100B.

Gap Analysis Vs. Pre-assessment for a Standards Audit

Audit, audit by exception

Can you clarify the difference between a gap analysis and a pre-assessment in relation to an activity that takes place prior to the full compliance audit? It is my understanding that a gap analysis compares something against a set performance level or standard requirement and an assessment is the collection and analysis of information to determine the projected compliance of an organization to a standard. Both provide the answer of what is missing, but the gap analysis also provides information on where an organization wants to be without going so far as to telling the organization how to get there (consulting).

Thanks for contacting ASQ’s Ask the Experts program. With regard to your question, the primary difference between a gap analysis and a pre-assessment is that a gap analysis applies to management systems such as ISO 9001:2008, ISO TS29001 or others. A gap analysis is typically the initial step in the QMS certification process. It is used to identify areas within a quality management system that do not meet defined requirements for certification. This can include processes, persons or product. The results of the gap analysis are based upon objective evidence, such as records reviewed, interviews conducted and observations made, to evaluate an Auditee’s conformance with requirements.
A pre-assessment is usually the initial phase of the accreditation process. A pre-assessment, or a practice assessment, is conducted prior to a conformity assessment to identify areas that must be improved or corrected before accreditation can be obtained. Unlike a compliance audit where the Auditor verifies conformance based upon objective evidence as mentioned earlier, an Assessor is also focused on assessing an organization’s competencies and performance of required tasks, such as measurement of uncertainty (MU), metrological traceability and proficiency testing (PT) as defined by ISO 17025:2005 and referred to by some as the “big three”.
A commonality shared by a gap analysis and a pre-assessment is that they both identify nonconformities or gaps between what exists and what is required by the standard or other defined criteria.
As you are aware, “gap analysis” and “pre-assessment” are not interchangeable terms. A gap analysis is associated with QMS certification or registration as issued by a Registrar and pre-assessment or practice assessment is associated with an activity performed prior to conducting a conformance assessment for accreditation. ISO 9000:2005 and ISO 17000:2004 provide vocabulary and terms for ISO 9001:2008 and ISO 17025:2005 quality management systems, respectively. Additional vocabulary and terms, as applicable to ISO 17025:2005, are provided in ISO/IEC Guide 99:2007, International Vocabulary of Metrology.

I hope this helps.

Best regards,


Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339