| Name | Expert Company Limited |
|---|---|
| Address | Building No.: 7852, Street: King Khaled Branch Road, District: Al Salmaniyah, City: Ad Diriyah, Kingdom of Saudi Arabia – Zip Code: 13715, Additional No.: 3748 |
| Contact Person | Dr. Abdelkarim Mahmoud |
| info@exp-sa.com | |
| Audit Criteria | ISO 9001 |
| Scope | Provision of Information Technology Solutions and Services, including ERP implementation, open source solutions , digital transformation consulting, software development (web and mobile applications), and technical consultancy to enhance organizational performance and operational efficiency. |
| EA Code | 33 |
| Date | From | To | Activity (Department) | Auditor | Auditee |
|---|
| Date | From | To | Activity (Department) | Auditor | Auditee |
|---|---|---|---|---|---|
| 2025-11-15 | 10:00:00 | 10:30:00 | Opening Meeting | ALL | Top Management |
| 2025-11-15 | 10:30:00 | 12:30:00 | Human Resources Department | DS | HR Manager |
| 2025-11-15 | 10:30:00 | 12:30:00 | Project management | AB | Project Manager |
| 2025-11-15 | 10:30:00 | 12:30:00 | Product Management | HG | Projects Manager |
| 2025-11-15 | 12:30:00 | 13:30:00 | Prayer- Lunch Break | ALL | All |
| 2025-11-15 | 13:30:00 | 15:00:00 | Purchasing | DS | Purchasing Manager |
| 2025-11-15 | 15:00:00 | 16:30:00 | Infrastructure and Public Relations Department | HG | Manager/ Staff |
| 2025-11-15 | 13:30:00 | 15:00:00 | Platform Management | AB | Manager/ Staff |
| 2025-11-15 | 15:00:00 | 16:30:00 | Research and development | AB | Manager/ Staff |
| 2025-11-15 | 13:30:00 | 15:00:00 | Sales and Marketing Department | DS | Manager/ Staff |
| 2025-11-15 | 15:00:00 | 16:30:00 | top managment | HG | QA Manager |
| 2025-11-15 | 16:30:00 | 17:00:00 | Auditor Meeting | ALL | - |
| 2025-11-15 | 17:00:00 | 17:30:00 | Closing Meeting | ALL | Top Management |
| Date | From | To | Activity (Department) | Auditor | Auditee |
|---|
| Date | From | To | Activity (Department) | Auditor | Auditee |
|---|
| Date | From | To | Activity (Department) | Auditor | Auditee |
|---|
| Clause No. | Requirements/Departement | Evidence | Result |
|---|---|---|---|
| 4.3 | The scope of the organization's quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. |
The defined scope to be " Provision of Information Technology Solutions and Services, including ERP implementation, open-source solutions, digital transformation consulting, software development (web and mobile applications), and technical consultancy to enhance organizational performance and operational efficiency." The scope cover single site at KSA, the exclusion was 7.1.5 |
OK |
| 4.4 | The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard. |
The company has developed its organization chart as a tool for interaction between processes | OK |
| 5.2 | Top management shall establish, implement and maintain a quality policy that: a) b) c) d) is appropriate to the purpose and context of the organization and supports its strategic direction; provides a framework for setting quality objectives; includes a commitment to satisfy applicable requirements; includes a commitment to continual improvement of the quality management system. The quality policy shall: a) be available and be maintained as documented information; |
The policy statement has been approved by the CEO by signature the policy dated 1/1/2025 | OK |
| 6.1.1 | When planning for the quality management system, the organization shall consider the issues referred to in il and the requirements referred to in il and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s); b) enhance desirable effects; c) prevent, or reduce, undesired effects; d) achieve improvement. |
The company has developed a SWOT analysis as a method defined in the ISO 31010:2017 guideline for method of defining the threats an opportunity. Also, the company has developed a heat-up matrix to evaluate the defined threat and opportunity. Sample of the risk assessment has been observed for the gov. software projects |
OK |
| 6.2 | The organization shall maintain documented information on the quality objectives. | The objectives statement has been reviewed. The defined objectives are part of the company Strategic plan for 2030. the defined objectives cover each level in the organization such as contracting with 3 new clients each year(Sales), improve the employees qualification (HR), provide proposal for big projects (Technical department & Product department), increase the number of agents and branches. (Marketing) and develop of software product that reflect the company morel. | OK |
| 7.1.5.2 | When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be: a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the b) basis used for calibration or verification shall be retained as documented information; identified in order to determine their status; c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. |
The company has excluded this clause because the products of the company and its services , don't need equipment measurements to be verified , the product and solution verified by function operation. | OK |
| 7.5 | The organization's quality management system shall include: a) documented information required by this International Standard b) documented information determined by the organization as being necessary for the effectiveness of the quality management system. ; |
The company has developed paper less system to implement its management system. Most forms can have names, without code for identification, the company has developed its opensource software which is provided to clients and used by the company to control its processes. | OK |
| 9.1.1 | The organization shall determine: a) what needs to be monitored and measured; b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results; c) when the monitoring and measuring shall be performed; d) when the results from monitoring and measurement shall be analyzed and evaluated. The organization shall evaluate the performance and the effectiveness of the quality management system. The organization shall retain appropriate documented information as evidence of the results. |
during stage 1 , The KPI establishment have been checked the company has defined many KPIs such as Sales KPI, and the period of occupation of the position for HR. | OK |
| 9.1.2 | The organization shall monitor customers' perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information. |
The company has also established customer feed back form to collect and monitor customer feedback. The feedback also can be collected through regular meeting with client's top management. | OK |
| 9.2 | The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system: a) conforms to: 1) the organization's own requirements for its quality management system; 2) the requirements of this International Standard; b) is effectively implemented and maintained. |
The company has been exposed to different types of audits such as Finical audit and product audit by external parties. however, the audits doesn't cover all the aspect of the QMS. | NC |
| 9.3 | The management review shall be planned and carried out taking into consideration: a) the status of actions from previous management reviews. b) changes in external and internal issues that are relevant to the quality management system. c) information on the performance and effectiveness of the quality management system, including trends in: 1) customer satisfaction and feedback from relevant interested parties. 2) the extent to which quality objectives have been met. 3) process performance and conformity of products and services. 4) nonconformities and corrective actions. 5) monitoring and measurement results. 6) audit results. 7) the performance of external providers. d) the adequacy of resources. e) the effectiveness of actions taken to address risks and t) opportunities for improvement. |
Although the company has conducted periodical management review meetings, however, the meetings don't cover all the clauses required by the standard. | NC |
| Clause No. | Requirements/Departement | Evidence | Result |
|---|---|---|---|
| 5.3 , 7.1 , 7.2 | Human Resource | Auditee: Abo Bakr Eltayeb Role: HR MGR The audit covered the human resources department and included a review of processes related to recruitment, training and competency, employee record, performance evaluation and compliance with ISO 9001:2015 requirements. Documents reviewed: - HR Procedure. - Recruitment and selection system. (Period from August to November) - Job descriptions. (HR Expert) - Training and competency records. (Training record for: Osman Gamel employee #: 146 Request Date: 06/10/2025 Start Date :09/11/2025 Course name: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise) - Employee record, employee performance evaluation and attendance and leave system. (employee name: Abubaker Eltaieb File #: EXP111) - Overtime pay system. (HR Procedure Clause 3.2) |
OK |
| 5.3,6.3 ,7.1,7.2,7.4,8.1,8.2,8.5 | project managment | Project management process start with marketing processes , then send to client application for his initial requirements ,then Expert Company introduce initial ready made Odex system , after that arrangement for discussion meetings to finalize client requirements based on the ready made application selected , this followed by preparation for technical and commercial offers with all details , then contract signed with client , after that Expert team have a preparation period for buying any required equipment or applications ..etc. then Expert exaction team install the product according to client requirements in contract On premises or cloud , after that running the application and start implementation for contract and project with training to client for different system modules , after that Expert deploy the application Go Live in test environment server or VM not in the production server , Analysis by client and Expert Team shall be made and customization according to analysis shall be done with developer team then review and test UAT shall be made , if need further modifications another deployment shall be made , but if the UAT pass successfully with no other modifications required then actual deployment in production server shall be made , and service delivery team shall have the next step for technical support. Check project for client Zohair Fayz and his partners for engineering and architecture consulting Check contact dated 23 dec 2021 for Zohair CR no 1010427119 and Expert CR no 1010354835 For developing ERP System according to commercial offer No SO689-1 dated 23/12/2021 and technical offer NoTP689-2 dated by 23/12/2021 (same date) prepared by Zohair Co. Contract contain client requirements which include hosting ERP in cloud environment and use of current copy of Odex 25 , and also contain backup policy for data during technical support period. Project duration for 220 working days in details for WPS Project contract include communication matrix and other terms and conditions related to after sales (post-production services ). Time table plan using Microsoft project management had been development with resources required , and show all project phases like start phase , preparation phase, collecting client requirements phase , system analysis phase , all data in Arabic language except some terminologies in English Plan include also Expert Team involved in project with communication matrix and skills , and also corresponding team from Zohair company (client). The project contain for Zohair company team each employee and his replacement and availability during the whole project and authority & responsibility too. Check also all Expert tasks table for each module like HR module with Mr. Abobakar el Tayb , Commercial module with Ms. Asmaa El massry ..etc. this table assigned for analysis meeting plans with client and Expert team also. Project include also Assigned Responsibility & Authority matrix for Expert team in all project phases in excel sheet Project also contain project management business risk (risk register) to evaluate the risk during project running , and use criteria for matrix 5x5 with definition of risk owner , risks include delay in material supply during purchasing process in preparation phase , and also buying in compliance materials ,and sudden increase of supplier cost Check also Acceptance checklist for project ERP-system by Zuhair Fayez Partnership which include all details agreed before in technical offer and updated development (customization after analysis). Check also log for Task opened and assignment for Mr. Mohamed Gad by project manager Mr. Abdelkarim Mohamed Mahmoud dated 16 March 2023. Check also Checklist for Go-Live which contain Zuhair responsibilities during the test like availability for initial data , list of users , start accounting data , list of suppliers , SSL certificate . and also responsibilities for Expert like data migration , system configuration , establish users accounts with privilege matrix and access polices Test include screenshots for all screens during test. And Port and server data NDA agreement have been signed before go-live between client Zuhair & Expert including Odex 25 Intellectual property rights. Check also technical support SLA , which not include target level for services like availability target level although it include respond time which is two hours. |
OK |
| 8.1,8.2,8.5,8.6,8.7 | Product Management | Auditee Name: Dr.Mohamed Elmasry The audit covered the full workflow of product and service delivery including, 1. Customer Requirement Gathering 2. Initial Prototyping 3. Gap Analysis (Customization Needs) 4. Development Planning 5. UAT with Customer Feedback 6. Final Customer Sign-off Before Deployment 7. Data Migration 8. Go-Live (Production Release) The Product Management processes are well structured and implemented. Clear evidence of: • Risk-based planning • Customer involvement throughout lifecycle • Validation & verification activities • Controlled deployment and signoff Evidence: • Insan Association– Eng. Fares Obeidat (Project Manager): The procedures list and item register were reviewed. The gap description and required time estimation were also reviewed. • Review of project statuses and their management: Awaed Platform Project, Abdul Mohsen Company Project, International Modern Industries, Space Technology Project. • Al-Khabeer Company Project (Limited): Reviewed the approved client authorization documents. |
OK |
| 8.4 | Purchasing | Auditee: Turky Ahmed Role: Purchasing MGR The audit covered the purchasing process included supplier evaluation and selection, purchase requisitions, purchase orders, receipt and inspection in compliance with ISO 9001:2015 requirements. Documents reviewed: - Purchasing Procedure. - Approved supplier list. - Purchase Requisitions (PR 2025/09/00091). - Purchase Orders (PO0217) - receipt and inspection system. |
OK |
| 7.1.3 , 7.1.4,8.2,8.5 | Infrastructure and Public Relations Department | Auditee Name: Eng.Motaz Mohamed Process: Cloud Infrastructure All systems are hosted on Digital Ocean. • Hosting environment supports: o Redundancy o Backups o Scalability o Access control • PR and communication activities are aligned with management guidance. Infrastructure environment is outsourced, stable, secure, and properly maintained. Control of hosting provider aligns with ISO 9001 Evidence: Stages: Test / Pre-Production / Production. The servers were reviewed along with the GetHub software used for software management, as well as SonarQube for detecting code gaps before testing. |
OK |
| 8.3 | Research and development | Check with development department codes used by the developers using GitHub for controlling the team activities for development . During the audit it is observed that the tables codes for examples are using normal names which can be predicated for hackers like benefit table , with fields like sms_phone or name , and it is recommended to encrypt the tables and fields to minimize hacking risk to the application. Check also development environment used which is completely different from test or live environment Check design inputs which send to developers as output from analysis and check also the output codes which reviewed to ensure the output matches input requirements as a verification for the design , final validation of design made in UAT checklist have been reviewed for Zuhair project. |
OK |
| 8.2 | Sales and Marketing Department | Department: Sales Auditee: Mohamed Faieq Role: Sales MGR The audit covered the sales process beginning from customers’ requirements, communication, commercial offer, preparation of quotations, contract review, order confirmation to maintenance service after sale and customer satisfaction in compliance with ISO 9001:2015 requirements. Documents reviewed: - Sales procedure. - CRM system Entries (Undefined – MQL – Old – Proposition – Negotiation – Not Opp. – Lost – Won). - Quotation record, Customer communication records by emails, Sales Order (SO1200). - KPIs (Q3) Department: Marketing Auditee: Mostafa Gamal Role: Marketing MGR The audit covered marketing activities including website management, content creation, campaigns and compliance with ISO 9001:2015 requirements. Documents reviewed: - Marketing presentation. - Market analysis report. Date 09/11/2025 - Campaign reports. Date 09/11/2025 - Communication records by emails. - Content calendar. - KPIs (Weekly KPIs Last update:11/11/2025 |
OK |
| 9.1 , 6.2 | Top Managment \ KPIs | Auditee Name: Dr.AbelHakim Process: KPI & Performance Monitoring Evidence: Review of KPIs for • Customer satisfaction • Project delivery performance • Sales conversion metrics All KPIs were reviewed and validated KPI measurement is consistent and aligned with quality objectives and Customer satisfaction monitoring is in place and functioning. Evidence: The overall indicators and related gaps for September and October 2025 were reviewed. |
OK |