1. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 Overview of ISO 9001:2008 Mar- 2016 Internal Auditor Training

2. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 2 What is in ISO 9001:2008 ? Internal Auditor Training

3. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 3 Deming Cycle PLAN ACT CHECK DO P-D-C-A Cycle

4. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 4 ISO 9001:2008 - Process Model ISO 9001 : 2008 – Process Model

5. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 5 Process approach System approach Internal Auditor Training

6. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 6 Provision of resources Human resources Infrastructure Work environment 6 Resource Management General requirements Documentation Requirements Planning Customer related processes Design & developme nt Purchasing Production & service provision Management Commitment Customer focus class policy Planning Responsibility, authority & communication Management Reviews 5 Management Responsibility 8 Measurement Analysis & improvement 4 Quality Management System 7 Product Realization General Monitoring & measurement Control of NCP Analysis of data Improvements System Requirements / Structure of the Standard

7. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 7 0.1 General Quality management, a strategy Strategic decision - adoption of QMS QMS design & implementation is organisation specific Uniformity of systems across organizations not intended Standard can be used by internal & external parties to assess the ability to meet customer, statutory & regulatory requirements applicable to the product and organisation's own requirements QMS requirements are complementary to technical requirements for product Introduction Internal Auditor Training

8. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 8 1 Scope 1.1 General  Need for demonstration  Aim of an organization implementing the standard 1.2 Application  Exclusions  Not affect ability or responsibility to provide a product that meets customer and applicable statutory & regulatory requirements be limited to clause 7 ( Cl. 4.2.2: “details of & justification for any exclusion” to be included in the quality manual”)  Conformity to ISO 9001 may not be stated if exclusions go beyond above. NOTE : ‒ Product = product intended for or required by customer = any intended output resulting from the product realization process ‒ Statutory and regulatory requirements can be expressed as legal requirement Internal Auditor Training

9. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 9 2.0 Normative reference ISO 9000 : 2005, Quality Management systems - Fundamentals and vocabulary 3.0 Terms and definitions ISO 9000 : 2005 applies In the ISO 9001:2008 wherever the term product appears it can also mean service Product = result of processes Note: Four generic product categories Hardware Software Services Processed materials Internal Auditor Training

10. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 10 4.0 Quality Management System 4.1 General requirements Establish, document, implement, maintain a QMS and continually improve its effectiveness in accordance with the standard Determine the processes necessary for QMS, sequence of interaction, criteria and methods to ensure effective operation and control Internal Auditor Training

11. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 11 4.2.1 General documentation requirements To Extend - Size and type of organization - Complexity and interaction of processes - Competence of personnel Note : … a single document may address one or more procedure... One procedure may be covered by more than one document To include - Quality policy & objectives - Quality manual - Documented procedures & records required by this standard. - Documents and records required by organization to ensure effective operation & control processes 4.2.2 Quality manual … Scope exclusions; procedures; interaction of processes. Internal Auditor Training

12. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 12 4.2.3 Control of documents Documented procedures required: ‒ approval, review, updating and identification of changes ‒ availability at points of use, legibility, identification ‒ external origin necessary for QMS as determined by the organization to be identified and distribution controlled ‒ Unintended use of obsolete documents to be prevented Internal Auditor Training

13. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 13 4.2.4 Control of records ‒ Documented procedure required ‒ Identification, storage, protection, retrieval, retention and disposition ‒ Legibility and identification Internal Auditor Training

14. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 14 5.0 Management Responsibility 5.1 Management Commitment 5.2 Customer focus 5.3 Quality policy 5.4 Planning 5.4.1 Quality Objectives 5.4.2 QMS Planning 5.5 Responsibility, authority & communication 5.5.1 Responsibility & authority 5.5.2 Management representative 5.5.3 Internal communication 5.6 Management review 5.6.1 General 5.6.2 Review input 5.6.3 Review Output Internal Auditor Training

15. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 15 5.1 Management Commitment  Top management provides evidence of its commitment. 5.2 Customer focus  Top management to ensure customer requirements are met. 5.3 Quality Policy  Top management to ensure five requirements. 5.4 Planning  5.4.1 Quality objectives  Deployment – measurability - consistency with policy  5.4.2 QMS Planning  Planning to meet objectives and integrity of the system to be maintained despite changes to QMS Internal Auditor Training

16. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 16 5.5 Responsibility, Authority and Communication 5.5.1 Responsibility and authority ‒ To be defined and communicated 5.5.2 Management representative ‒ To be a member of organizations management ‒ To have three responsibilities and authorities 5.5.3 Internal communication ‒ Establishment ‒ Effectiveness of the system Internal Auditor Training

17. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 17 5.6 Management review 5.6.1 general 5.6.2 Review input 5.6.3 Review output Internal Auditor Training

18. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 18 5.6 Management review (Cont..) As per Standard requirement the followings to be considered and reviewed -Results of Audit -Customer feedback, including customer complaint, -Process performance and product conformity, -status of corrective, preventive action. -changes that could affect th quality management system. - follow up from Previous MRM Minutes, and -Recommendation for improvements Internal Auditor Training

19. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 19 6.0 Resource Management 6.1 Provision of resources 6.2 Human resources 6.2.1 General 6.2.2 Competence, awareness and training 6.3 Infrastructure 6.4 Work environment Internal Auditor Training

20. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 20 6.1 Provision of resources To be determined and provided 6.2.1 Human resources – general Personnel to be competent Note: Conformity to product can be affected directly or indirectly by personnel performing any task within the QMS 6.2 Competence, Training, Awareness Determination of competence requirement Where applicable, provide training or take other actions Ensuring personnel are aware of the relevance….. Internal Auditor Training

21. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 21 6.3 Infrastructure  To be determined, provided and maintained  Includes buildings, process equipment, support services such as transport, communications and information systems 6.4 Work environment  To be determined and managed Note: includes physical, environmental and other factors such as noise, temperature, humidity, lighting or weather…… Internal Auditor Training

22. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 22 7.0 Product Realization 7.1 Planning of product realization 7.2 Customer related process 7.3 Design & Development 7.4 Purchasing 7.5 Production & Service provision 7.6 Control of measuring & monitoring devices Note: Exclusions within this clause with justification are allowed. Internal Auditor Training

23. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 23 7.1 Planning of product realisation While planning ‒ Determination of objectives, requirements of products, need to establish processes, resources specific to product ‒ Verification, validation, monitoring, measurement, inspection and test activities, criteria for product acceptance ‒ Records Internal Auditor Training

24. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 24 7.2 Customer related processes 7.2.1 Determination of requirements related to the product  Those specified by the customer  Those not stated by the customer  Statutory and regulatory requirements  Additional requirements considered necessary by the organization Note: post – delivery activities can be actions under warranty provisions, contractual obligations such as maintenance, supplementary services like recycling of final disposal Internal Auditor Training

25. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 25 7.2.2 Review requirements related to product  Prior to commitment to supply  To ensure that the requirements are defined, differences sorted out and that the organization has the ability to meet the requirements 7.2.3 Customer communication  Effective arrangements related to product information, enquiries, customer feedback. Internal Auditor Training

26. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 26 7.3 Design & development 7.3.1Design & development planning 7.3.2Design & development input 7.3.3Design & development output 7.3.4Design & development review 7.3.5Design & development verification 7.3.6Design & development validation 7.3.7Control of design & development changes Internal Auditor Training

27. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 27 7.4 Purchasing 7.4.1 Purchasing process  Purchased product to meet the requirements  Type an extent of control depends upon the effect..  Evaluation and selection of supplier as per requirements  Criteria established, records to be maintained 7.4.2 Purchasing information - To describe product, process, equipment, personnel, QMS 7.4.3 Verification of purchased - Inspection or other activities to ensure product meets requirements Internal Auditor Training

28. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 28 7.5Production & service operations 7.5.1 Control of production and service provision Under control conditions”….as applicable. 7.5.2 Validation of processes for production and service provision Where output cannot be verified subsequently, and as a consequence, deficiencies become apparent only after use… 7.5.3 Identification and traceability Identification by suitable means Inspection status throughout product realization Internal Auditor Training

29. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 29 7.5Production & service operations 7.5.4 Customer property Exercise care with customer property Note: customer property can include intellectual property and personal data 7.5.5 Preservation of product Preservation to maintain conformity to requirements Applicable to the constituent parts Internal Auditor Training

30. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 30 7.6 Control of monitoring & measuring equipment Determination of monitoring, measurement equipment Ensure that monitoring & measurement is done as consistent with the requirements MME to be calibrated / verified Records to be maintained Computer software’s ability to satisfy the intended application to be confirmed. Internal Auditor Training

31. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 31 8.0 Measurement, Analysis and Improvement 8.1 General 8.2 Monitoring / Measurement 8.2.1 Customer Satisfaction 8.2.2 Internal Audit 8.2.3 Monitoring & Measurement of processes 8.2.4 Monitoring & Measurement of Product 8.3 Control of Non-conforming product 8.4 Analysis of data 8.5 Improvement 8.5.1 Continual improvement 8.5.2 Corrective action 8.5.3 Preventive action Internal Auditor Training

32. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 32 8.1 General and using information to be determined Plan & implement for (a) conformity to product (b) conformity to system and (c) improvement 8.2.1 Customer Satisfaction Monitoring customer perception. Methods for obtaining and using information to be determined Note: Surveys, customer data on user opinion surveys, lost business analysis, warranty claims and dealer reports can be used……. Internal Auditor Training

33. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 33 8.2.2 Internal audit Purpose is to check conformance and effectiveness Planning to consider status, importance and previous results Objectivity and impartiality to be ensured Procedure to be documented Records to be maintained Any necessary corrections and corrective actions to be taken by the management responsible Follow up actions to verify actions and report results Internal Auditor Training

34. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 34 8.2.3 Monitoring and Measurement of processes Suitable methods for monitoring and, where applicable, measurement Corrections and corrective actions to be taken when planned results are not achieved Note: The impact on product conformity and effectiveness of the QMS is to be considered while determining controls on each of the processes. Internal Auditor Training

35. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 35 8.2.4 Monitoring and measurement of product Monitoring and measurement of characteristics of product at suitable stages Evidence of conformity is to be maintained Records to indicate the person authorizing product release to customer Product release not to proceed until planned arrangements are satisfactorily completed. Internal Auditor Training

36. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 36 8.3 Control of non-conforming product Procedure to be maintained Non-conforming product to be dealt with by Elimination of NC Authority under concession Precluding original intended use Taking appropriate action where NC is observed after delivery has started. Internal Auditor Training

37. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 37 8.4 Analysis of data Purpose is to demonstrate the suitability, effectiveness of the system and to capture improvement opportunities The data shall provide information on customer satisfaction, product conformity, characteristics and trends of processes & products and suppliers Internal Auditor Training

38. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 38 8.5 Improvement 8.5.1 Continual improvement The organisation shall continually improve the effectiveness of the QMS through use of quality policy, objectives, audit results, analysis of data, corrective actions, preventive actions, management review Internal Auditor Training

39. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 39 8.5.2 Corrective action  Organisation shall take corrective action to eliminate the causes of nonconformities to prevent recurrence  Corrective Actions appropriate to the impact of the problem Internal Auditor Training

40. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 40 8.5.2 Corrective action (Cont..)  Documented procedure shall define requirements for: - reviewing nonconformity (including customer complaints) - determining the causes of nonconformity - Evaluating the need for corrective action determining and implementing action needed - recording results of action taken - reviewing the effectiveness of the corrective action taken - A continual defect analysis through causal analysis is required Internal Auditor Training

41. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 41 8.5.3 Preventive action  Organisation shall determine action to eliminate the causes of potential non-conformances to prevent occurrence,  Actions appropriate to the impact of the potential problem  Documented procedure must define the requirements for : - Identification of potential non-conformances & their causes - Evaluating the need for preventive action - recording the results of action taken - reviewing the effectiveness of preventive action taken. Internal Auditor Training

42. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 THANK YOU About Mphasis Mphasis (an HP Company) enables chosen customers to meet the demands of an evolving market place. Mphasis fuels this by combining superior human capital with cutting edge solutions in hyper-specialized areas. Contact with us on www.mphasis.comwww.mphasis.com Presentation by E-mail : ITO_SDE@mphasis.comITO_SDE@mphasis.com © 2012 MphasiS The information contained herein is subjected to change without notice. Sanjay Gour Head – Audit & Compliance (ITO & BPO) Service Delivery Excellence Team

43. 10 June 2016 | Proprietary and confidential information. © Mphasis 2013 43 Revision History CR # (Optional) Document Version# Approval Date Modified By Section, Page(s) and Text Revised Approved by -1.028-Aug-2014Sanjay GaurInitial releaseAudit Head BEOPS-25581.118-Mar-2016 Sudha Jayachandran Revised to new Power point template PDI Leader