Checklist for quality management system audit. Internal audit of the bank's QMS and management review. Test Applications

Remember, we have identified two parts of the ISO 9001:2015 requirements for internal audits. Just now we mainly talked about the first part. The practical implementation of the rest of the ISO 9001 provisions in the enterprise will be more difficult to verify. However, this task is up to anyone. Depends on the specifics of the particular process being checked, of course. As you know, many companies resort to key performance indicators (KPIs - Key Performance Indicators, - ed.) to evaluate performance, including when they achieve compliance with ISO 9001:2015. , measuring a specific indicator of which one can confidently draw conclusions about the state of the process.

I say this to the fact that if KPIs are implemented and supported by process owners, then an assessment of the effectiveness of the QMS based on existing KPIs can be included as one of the elements of the internal audit checklist. If KPIs are not included in the practice of the audited company, then it would be good to include a question to the process owner in the checklist: how does he determine for himself that his process is effective. By finding this out, you will get more out of the internal audit process.

For more information about key indicators activities, visit the page "".

The area of ​​need for control depends on the structure and type of activity of a particular organization. To properly check the work of the company, it is necessary to conduct regularly. This procedure is simply impossible without a correctly compiled checklist.

The concept of a checklist for internal audit

An audit checklist may be required to audit the entire activity of an organization or a single industry, process or department. This document was previously filled out in paper form, later electronic versions began to appear in Word and Excel. Now there are specialized applications for, but the previous methods are still relevant.

The standard form of the audit checklist contains 6 columns:

1. Number line.
2. Verifiable ISO requirement.
3. Detailed questions.
4. A method for evaluating the requirement being tested.
5. Check result mark.
6. Comments of the auditor or commission.

The very concept of a checklist literally translates as a "checklist" and can even be used to audit the activities of 1 employee of the company.

Legal Framework

According to the Federal Law of December 30, 2008 No. 307 "On Audit", the preparation of checklists is regulated various kinds, but this applies to external audit. It is legally allowed to conduct an internal audit by involved companies. Management can invite an employee to conduct an audit, rather than create a commission from their own employees.

Article 19 of the Federal Law "On Accounting" dated December 6, 2011 obliges to conduct an internal audit. This concerns the verification of the accounting area, other areas of activity are controlled according to the personal preferences of the organization.

Document Functions

The main tasks of the checklist are to control and structure information about the current processes of any type of activity. This is a kind of checklist of questions that allows you to conduct a systematic analysis and identify shortcomings in the work of a particular link in the organization.

In addition to the controlling function, based on the checklist data, it is possible to draw up a further development plan or change the structure of the company. Also, based on the results of an internal audit, it is permissible to assess the competence of employees of the audited department of the company or the whole.

The steps for filling out the checklist for the internal audit of the QMS with examples are described below.

Filling steps

In the control process, the structure of the checklist is important. When developing it, it is necessary to take into account a logical sequential procedure that excludes a constant return to aspects already considered. This will allow you to build the correct structure not only of the checklist itself, but also help in filling it out correctly.

In fact, filling out a well-written checklist is very simple.

• At the first stage, it is necessary to delve into the content of the check item, read the question or familiarize yourself with the controlled criterion.
• Further, the evaluation method should be specified and carried out in accordance with this paragraph. This may be an inspection, interview, survey, review of documentation, or other form of assessment.
• At the third stage, it is necessary to enter or enter the results of the control in the appropriate column of the checklist.
• Also in a number of documents there is a paragraph with the auditor's comments. If it is present in checklist, then it must be completed before moving on to the next question.

You can download a sample checklist for internal audit.

Sample checklist for internal audit

Sample checklist for internal audit - 1

Sample checklist for internal audit - 2

Sample checklist for internal audit - 3

Sample checklist for internal audit - 4

Sample checklist for internal audit - 5

Roman Isaev

Expert on organizational development and process management

GK Partner Modern technologies management"

Head of organizational and corporate development projects

Professional business coach and Business Studio specialist

The final article of the cycle devoted to the functioning of the quality management system (QMS) in commercial bank(beginning see: MMK, 2010, No. 11-12 "Typical quality management system for a commercial bank and its architecture", part 1 and part 2). In a series of articles in this cycle, the processes (stages) of QMS development are considered in detail: planning and building a QMS (see: MMK, 2011, No. 1), managing each QMS process (see: MMK, 2011, No. 2), internal audit of the QMS, analysis of the QMS by the bank's management, as well as practical examples and recommendations from the experience of various banks. The author demonstrates how to ensure the stable and efficient functioning of the QMS in a bank over a long period of time.

Internal audit of the QMS of the bank

Audit— a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria have been met.

The object of the audit can be: QMS (top level), process, department, Information system and etc.

Model this process shown in diagram 1.

Scheme 1. Internal audit of the QMS

When conducting an internal audit of the bank's QMS, it is recommended to use the ISO 19011 "Guidelines for the audit of quality management systems and / or environmental management systems".

The templates of documents that are necessary for conducting an audit of the bank's QMS and an audit of the bank's processes are given in.

see schemes 2 and 3, MMK, 2011, No. 1, p. 6-7), then the internal audit of the QMS includes two corresponding stages, as well as general stage"Preparation for the audit":

1. Preparing for an audit. Contractor: quality service;
2. Internal audit of the QMS (top level). Contractor: quality service;
3. Process audit. Implementing partner: process team.

Let's consider these stages in more detail.

1. Preparation for the audit

It includes the following procedures and actions.

Development, coordination and approval of the program of internal audits. This document contains a list of all types of audits with names (for the next year). For each audit, the following is indicated: a list of audit objects, full name the head of the audit, the period of the audit.

Formation and training (if necessary) of a group of internal auditors of the bank. In parallel with the development of the audit program, the need for auditors is determined, a group of auditors is formed and trained (if necessary), auditors are appointed for each process team, auditors are appointed to audit the top-level QMS, and the chief auditor is approved.

Preparation and issuance of an order for internal audits. The order for the bank approves the audit program, the composition of the group of auditors and their duties, the duties of members of process teams, heads of departments and employees of the bank during audits.

Training teaching materials for internal audit.

Development of a single checklist for process audit.
A checklist is a table that is used by the auditor to check the performance established requirements. A fragment of the checklist (three columns of the table) for process audit is shown in Table. one.

The checklist consists of six columns:

• Line number;
• Checked requirement;
• Clarifying questions (if necessary);
• Method of evaluating the fulfillment of the requirement (study of documentation, observation, survey, etc.);
• Compliance / non-compliance mark;
• Audit evidence (record and auditor's comments).

Table 1. Checklist for process audit (excerpt)

A single process audit checklist is required to ensure that all process teams and auditors audit processes against the same requirements.

2. QMS audit (top level)

Consists of the following procedures and actions.

Development of a checklist and plan for the audit of the QMS (top level). A sample checklist (fragment) for auditing the QMS (top level) is presented in Table. 2.

Table 2. Checklist for internal audit of the QMS (top level)

It lists the general requirements for the QMS components (top level). These requirements should be detailed and supplemented by the requirements of the ISO 9001 standard (one might say, quotes from this standard) and the bank's own requirements.

For example, the requirement “1.1. The list (completeness) of documentation - compliance with the requirements of ISO 9001 "is detailed for the requirements of Sec. 4.2 of ISO 9001 "Documentation Requirements", which indicates the composition of the required documentation:

“The quality management system documentation should include:

• Documented quality policy and objective statements;
• Quality quide…" .

Based on the checklist, a QMS audit plan is developed.

The audit plan consists of five columns:

• Line number;
• Checklist number or section (group of requirements to be checked) of the checklist;
• FULL NAME. auditor;
• Date and time of the check;
• FULL NAME. and the position of the person responsible from the members of the process team / executors of the process.

The auditor selects the requirements from the checklist and specifies in the plan when, how and with the help of whom he will check them.

For example, to check the requirement "1.2. Relevance of Documentation” the auditor appoints several interviews with bank employees responsible for these documents, and writes it down in the plan.

Conducting an audit of the QMS (top level) according to the plan and filling in the checklist. The auditor evaluates the fulfillment of each requirement from the checklist using the selected assessment method (interviews bank employees, studies documentation, monitors the bank's activities). Then he puts a mark on compliance / non-compliance and indicates the evidence that confirms this.

Preparation of a report on the results of the internal audit of the QMS (top level). In the report on the results of the internal audit of the QMS, all completed checklists are combined in the order of the requirements. The total number of identified inconsistencies, conclusions and conclusions are indicated.

Development of corrective and preventive actions based on the results of the audit.

Implementation of prompt corrective and preventive actions.
The most urgent and important actions are performed immediately after development. Actions that require the involvement of significant labor and financial resources are carried out during the next period of QMS functioning.

3. Process audit

The rules for conducting a process audit are similar to the rules for auditing the QMS (top level), only the process becomes the object of the audit. Therefore, we give a list of procedures and actions without additional comments.

For a process audit to be carried out methodically and effectively by a process team, it must include a qualified quality auditor.

So, the process team during the audit:

• Gets acquainted with the documentation on internal audit;
• Develops a process audit plan;
• Conducts an audit of the process according to the plan and fills out the checklist;
• Prepares a report on the results of the process audit and submits it to the quality service;
• Develops corrective and preventive actions based on the results of the audit;
• Performs prompt corrective and preventive actions.

For example, in one bank, a completely normal and cost-effective process called “Salary Projects” functioned. However, as a result of the audit, many inconsistencies were identified. Some of them were not even known to the owner and functional managers of the process. Eliminating discrepancies doubled the efficiency and quality of the process.

Receiving and aggregating process audit reports from process teams. Reports on the results of all audits should be collected together for further work with them.

Analysis of the QMS by the bank's management

The model of the sub-process "Analysis of the quality management system by the bank's management" is shown in Scheme 2.

Scheme 2. Analysis of the QMS by the bank's management

The process is launched according to the frequency established by the bank (at least twice a year) or by decision of the bank's management. The director for quality manages the collection and preparation of information for the analysis of the QMS, the development of plans for improving the QMS. The responsible executor of work in the framework of the preparation of the QMS analysis is the head of the QMS department. Those responsible for the QMS analysis process within the processes are the process teams (process owner).

Since the architecture of the QMS consists of two levels (see diagrams 2 and 3, MMK, 2011, No. 1, pp. 6-7), then the analysis of the QMS by the management has two components:

• Preparation by process teams and analysis by management (committee for processes and quality) of summary reports on all QMS processes;
• Preparation by the quality service and analysis by the management (committee for processes and quality) of reports on the top level of the QMS.

It should be noted that the analysis of the QMS by the management of the bank, as well as the internal audit of the QMS of the bank, is recommended to be carried out using software products class "Business Modeling" (for example, Business Studio). They allow you to store all information and documents on the QMS, integrate (establish and maintain relationships) with other QMS components (processes, divisions, goals and indicators, projects), automatically generate QMS documents that are obtained at the outputs of processes (reports, protocols, records and etc.).

More detailed information on the use of these software products in the performance of all processes / stages of the functioning of the QMS of the bank is presented in.
The process consists of the following procedures and actions.

Sending information and requests to process teams. Process teams must analyze and audit their processes, prepare and submit to the quality service a summary report on the process. Process commands may be asked to Additional Information by process, which is not included in the summary report.

Receiving, checking and aggregating summary reports on processes from process teams. All reports must be reviewed and then combined into a single process report.

Preparation and aggregation of reports on the top level of the QMS include reports:

• According to the results of the internal audit of the QMS;
• On the implementation of corrective / preventive actions for the top level of the QMS;
• Analysis of customer claims (consolidated);
• On the implementation of the plan for the development, updating and improvement of the QMS;
• On the implementation of actions approved based on the results of the previous analysis of the QMS by the management;
• According to the analysis of factors of external and internal environment, changes that significantly affect the Bank's QMS.

More information about these reports, as well as their samples, are presented in.

Development of a report on the functioning and effectiveness of the QMS. This report includes, as attachments, reports on the top level of the QMS, summary reports on processes. It should contain conclusions and conclusions about the functioning and effectiveness of the QMS (each component) for the past period.

Development of corrective and preventive actions. Corrective and preventive actions are developed by the quality service both for process teams and for the top level of the QMS.

Preliminary study of the report, plans, preparation of comments and suggestions. The management of the bank (committee on processes and quality) must familiarize themselves with all the documents and submit their comments and suggestions to the quality service.

Collection and processing of comments and suggestions from members of the process and quality committee

Organization of the committee, presentation of the final version of the report and plans for the committee meeting(performed by the quality department).

Preparation, presentation of the report and presentation of the report. The Quality Director at a meeting of the Processes and Quality Committee makes a report on the functioning and effectiveness of the QMS for the past period, makes presentations of prepared reports and plans.

Discussion and approval of the report, plans and decisions. When discussing the report and plans at a meeting of the process and quality committee, the necessary adjustments and additions are recorded for them. Based on reports and plans, the committee must evaluate the effectiveness and quality of each component of the QMS (in accordance with the architecture - see diagrams 2 and 3, MMK, 2011, No. 1, pp. 6-7). There may be the following solutions/assessments:

• Excellent. All planned results have been achieved. There were no failures, errors, inconsistencies. The component does not require improvement and corrective actions;
• Satisfactorily. Not all planned results have been achieved. There were minor glitches, bugs, inconsistencies. Some improvements and corrective actions are required;
• Unsatisfactory. Planned results have not been achieved. There were significant failures, errors, inconsistencies. Significant changes are required.

During the meeting, a protocol is drawn up for the analysis of the quality management system by the management, which indicates the decision made on each document / component of the QMS considered by the committee.

Adjustment and approval of plans based on the results of the analysis of the QMS by the management(performed by the quality department).

For example, in one bank, the management, after studying all the reports of the QMS, remained so satisfied with the transparency and efficiency of the activities under their control that they allocated three separate spacious offices equipped with "the latest technology" to the quality service, next to the office of the chairman of the bank's board.

Conclusion

So, the secret of the stable and efficient functioning of the Bank's QMS for a long time lies in the strict observance of the processes and procedures described in this paper, as well as in the use of standard and best practices in the field of quality management (for example, a standard bank quality management system).
Thus, the bank's QMS will be ready for repeated successful certification and will be able to constantly bring to the bank both financial (increased profits, reduced costs for low-quality processes) and non-financial effects (increased reputation, customer loyalty).

List of used literature

ISO 9000:2005. Quality management systems. Fundamentals and vocabulary
Standard quality management system for a commercial bank (as part of a comprehensive standard business model for a commercial bank)
ISO 9001:2008. Quality management systems. Requirements
Isaev R. A. Business engineering and management in a commercial bank. — M.: VOICE-PRESS, 2009. — 318 p.: ill.

Today, the concept of "internal audit" has become widespread in business. Many large enterprises and companies prefer to create their own internal audit services and departments by training their employees. In addition, the labor market is constantly growing demand for specialists who have relevant knowledge and have an international diploma.

Tasks of internal audit at the enterprise

Internal audit in an enterprise is an activity that aims to provide objective and independent advice and guarantees to improve the activities of an enterprise. The purpose of internal audit is to assess risks, find ways to reduce them, and also increase the profitability of business processes.

Auditor advice includes evaluation, analysis and reporting on the efficiency and reliability of processes. They are addressed directly to the administration of the organization.

The main tasks of internal audit at the enterprise:

• verification of internal control systems to determine the level of efficiency of the units;
• development of an integrated risk management system, analysis of its work, as well as the creation of measures to reduce them;
• control over compliance with the principles of corporate governance.

The need to introduce internal audit

Recently, in Russia there has been an orientation towards the separation of the functions of management and business ownership. The owners implement one general strategy for the development of the organization and manage the main directions, and for solving small and everyday tasks, as a rule, they hire top managers. In this case, the enterprise uses a tool for monitoring the state of affairs - internal or external audit. It allows owners to receive full and objective assessment the activities of the entire organization.

For the implementation of internal audit in Russian companies influenced no less the federal law"On Accounting" dated 06.12.2011. According to Article 19, from the beginning of 2013, absolutely all economic entities must carry out internal control economic activity.

Checklist for internal audit

Control of accounting and management accounting, as well as other areas of management, should take place absolutely at all enterprises. However, it is important to know about the features of this procedure. All processes must follow each other in an orderly manner. Since it is due to the correspondence this requirement many mistakes and problems can be avoided when auditing by regulatory authorities. Completing the checklist makes the process much easier. Its role is very difficult to exaggerate.

What you need to know about the checklist

This document consists of a list of detailed audit questions. The checklist does not have a specific format established by law. However, it is necessary to follow some rules when compiling and filling it out. This will reduce the likelihood of problems in the audit process.

In fact, with the help of a checklist, you can solve a fairly large number of issues and tasks not only during the audit, but also during the ongoing activities of the enterprise. This document may be used various organizations, controlling institutions and their officials.

With the help of a checklist, you can solve the following tasks:

• properly plan the audit in accordance with legal regulations;
• carry out intermediate and selective control, conduct effective time management;
• ensures that important parts of the audit are not missed;
• is one of the means of memory;
• simplifies auditing;
• with its help, the audit is carried out in a complex, structured and holistic way, etc.

Legislative act that governs the drafting this document, is Federal Law No. 307 of December 30, 2008 “On Auditing”.

An example of an internal audit checklist can be found here.

Internal audit of the QMS

QMS - quality management system - one of the parts of the entire company management system, which was created to ensure and control the stability of economic activity, High Quality and minimizing the cost of producing products or providing services.

According to the QMS, the structure of the documentation is as follows:

• quality requirements (quality manual);
• goals and policy in the field of product quality, services;
• necessary documented processes;
• regulations of procedures, work instructions;
• quality records.

The audit of quality management systems is not regulated by either federal or international legislation. Therefore, there are no mandatory legislative norms that define the procedure and rules for conducting an audit of quality systems at an enterprise. This is due to the voluntary desire of the organization to certify quality systems. And all the work that accompanies the construction and implementation of the quality system is also a voluntary initiative.

Consequently, organizations that are engaged in QMS audits can carry out their activities without additional licenses or other permits. And for the implementation of internal audit, and even more so, these documents are not needed. Despite this, there are special rules that govern the conduct of QMS audits. For example, ISO 19011:2011, which is called “Guidelines for auditing management systems”. It can be used for internal and external audits.

Order on internal audit

Order on internal audit - internal document, which is compiled by the head of the company and establishes:

• dates of the audit;
• groups of internal auditors and specialists responsible for its implementation;
• provision of conditions for internal audit;
• control over the audit.

How to Become an Internal Audit Specialist

Every day the demand for specialists who are able to carry out internal control of the enterprise is growing. But the demands on them are also rising. They must have financial knowledge, understanding of internal control and corporate governance know the national and international standards of internal audit, as well as understand the specifics of the activity that needs to be analyzed.

Online training comes to the rescue of always busy financial professionals. Online courses allow you to study without interruption from your main activity, at home or at work in convenient comfortable familiar conditions. The quality of distance learning is not inferior, and often exceeds face-to-face counterparts, due to the involvement of highly qualified teachers, a modular course system, online tests and much more.

Diplomas and certificates in internal audit

To obtain a diploma that confirms qualifications in the field of internal audit, it is worth choosing an international program of a foreign institution. Today, Russian specialists have access to such programs as IPFM, IFA, ICFM and CIA.