ISO 19011 CLAUSE

1 Scope - Guidance on 2 Normative references 3 Terms and definitions 4 Principles of auditing 5 Managing an audit programme 6 Conducting an audit 7 Competence and evaluation of auditors NOTES ANNEX

guidance on auditing management systems 6.1 General 7.1 General

NIL 3.1 audit Integrity 5.1 General Audit Programme Internal audits, sometimes called first party audits, are A.1 Applying audit methods
conducted by, or on behalf of, the organization itself.
principles of auditing guidance on preparing and conducting a specific audit as part of an audit programme competence should be evaluated regularly through
systematic, independent and documented process for obtaining objective evidence (3.8) and Fair Presentation audits addressing one or more management system standards audit methods chosen depend on
process that considers :
evaluating it objectively to determine the extent to which the audit criteria (3.7) External audits include those generally called second and third
managing an audit programme Figure 2 provides an overview of the activities performed in a typical audit.
Due Professional Care separately or in combination party audits. Second party audits are conducted by parties objectives
personal behaviour having an interest in the organization, such as customers, or by
3.2 combined audit
conducting management system audits extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit. other individuals on their behalf. Third party audits are
Confidentiality extent of an audit programme to be based on scope
ability to apply the knowledge conducted by independent auditing organizations, such as
two or more management systems
evaluation of competence of individuals involved in the audit those providing certification/registration of conformity or
6.2 Initiating audit
process Independence size and nature of the auditee governmental agencies. criteria
skills gained through education
integrated management system
6.2.1 General
includes the individual(s) managing the audit programme, Evidence-based approach nature When two or more discipline-specific management systems are duration
work experience
auditors and audit teams two or more discipline-specific management systems integrated into a single management system this is known as an
are integrated TL responsible of conducting audit integrated management system.
conclusions in a systematic audit process functionality location
auditor training
applicable to all organizations
3.3 joint audit Step 1 - 5.2 Establishing audit programme objectives The audit scope generally includes a description of the physical
Risk-based approach complexity consideration of
audit experience and virtual-locations, functions, organizational units, activities
need to plan and conduct internal or external audits of
two or more auditing organizations 6.2.2 Establishing contact with auditee and processes, as well as the time period covered.
management system focused on matters that are significant for the audit client, and for achieving the audit programme objectives. type of risks and opportunities Available auditor competence
process should take into consideration the needs of the audit
Responsibility - TL programme and its objectives A virtual location is where an organization performs work or
manage an audit programme 3.4 audit programme level of maturity of uncertainty arising from the application of audit methods
provides a service using an on-line environment allowing
Not necessary all in team to have same competence individuals irrespective of physical locations to execute
one or more audit's arrangement Reasons to contact auditee :
the management system(s) processes. variety and combination of different audit methods can optimize the
efficiency and effectiveness of the audit process and its outcome
Confirm on the following: overall competence needs to be sufficient to achieve objective
time framed management system can be even more complex when most of the important functions are If the audit criteria are legal (including statutory or regulatory)
outsourced and managed under the leadership of other organizations requirements, the words "compliance” or “non-compliance” are Performance of an audit involves
communication channels with the auditee's representatives evaluation of auditor competence should be planned, implemented and
specific purpose often used in an audit finding (3.10).4
documented to provide an outcome that is objective, consistent, fair and
under the leadership of another organization, particular attention should be paid to the design, interaction among individuals
reliable.
3.5 audit scope planning and validation of the audit programme authority to conduct the audit Requirements may include policies, procedures, work
instructions, legal requirements, contractual obligations, etc technology used
evaluation process should include 4 main steps :
extent and boundaries take into account the auditee's agreement with the auditee regarding the extent of the disclosure and
the treatment of confidential information Objective evidence can be obtained through observation, responsibility for effective application of audit methods in planning stage
determine the required competence to fulfil the needs
Includes organizational objectives measurement, test or by other means
of the audit programme
Provide info on
individual(s) managing the audit programme
physical and virtual-locations relevant external and internal issues Objective evidence for the purpose of the audit (3.1) generally
establish the evaluation criteria
Audit objective consists of records, statements of fact, or other information
audit team leader
which are relevant to the audit criteria (3.7) and verifiable
functions needs and expectations of relevant interested parties select the appropriate evaluation method
Scope
feasibility of remote audit activities can depend on
Audit findings indicate conformity (3.20) or nonconformity
organizational units information security and confidentiality requirements conduct the evaluation (3.21)
criteria
level of risk to achieving the audit objectives
activities and processes info and resources for effective audit should include outcome of evaluation should provide basis for following : Audit findings can lead to the identification of risks,
methods
opportunities for improvement or recording good practices. level of confidence between auditor
time period covered objectives selection of audit team members (as described in 5.5.4)
audit team composition, also if tech expert included
In English if the audit criteria are selected from statutory auditee's personnel and regulatory requirements
virtual location risks and opportunities associated with the audit programme and the actions to address them requirements or regulatory requirements, the audit finding is
determining the need for improved competence
Determine following : termed compliance or non-compliance.
service using an on-line environment scope of each audit within audit programme ongoing performance evaluation of auditors
applicable statutory and regulatory requirements In the case of internal audit, the audit client can also be the
3.6 audit plan schedule (number/duration/frequency) auditee (3.13) or the individual(s) managing the audit
auditors should upskill regularly and participate in audits regularly (7.6)
requirements relevant to the activities, processes, products and services of the auditee programme. Requests for external audit can come from sources
such as regulators, contracting parties or potential or existing
description of the activities and arrangements for an audit types, such as internal or external process for evaluating auditors and audit team leaders is described in 7.3, 7.4 and 7.5 clients.
audit any location-specific arrangements for access, health and safety, security, confidentiality

audit criteria Auditors and audit team leaders should be evaluated against the criteria set out in 7.2.2 One auditor (3.15) of the audit team (3.14) is appointed as the
3.7 audit criteria any areas of interest, concern or risks to the auditee towards specific audit
and 7.2.3 as well as the criteria established in 7.1 audit team leader
audit methods
set of requirements (3.23) used as a reference against request access to relevant information for planning purposes incl info on risk and opportunities and their addressal
competence required of the individual(s) managing the audit programme is described in 5.4.2 The audit team can include auditors-in-training
which objective evidence criteria for selecting audit team members
make arrangements for the audit including the schedule
7.2 Determining auditor competence Specific knowledge or expertise relates to the organization, the
Compliance - refers to legal or regulatory relevant documented information activity, process, product, service, discipline to be audited, or
agree on the attendance of observers and the need for guides
7.2.1 General language or culture.
policies implementation of the audit programme should be monitored and measured on an ongoing basis
resolve issues regarding composition of the audit team
Following should be considered for necessary competence : A technical expert to the audit team (3.14) does not act as an
procedures reviewed in order to identify needs for changes and possible opportunities for improvements auditor (3.15).
6.2.3 Determining feasibility of audit
size, nature, complexity, products, services
work instructions 5.2 Establishing audit programme objectives A management system can address a single discipline or
and processes of auditees
Carried out to determine id audit objectives are achievable several disciplines, e.g. quality management, financial
legal requirements management or environmental management.
Audit client to ensure the audite programme is established to direct planning and conduting of audits methods for auditing A.2 Process approach to auditing
Availability / consideration factors to determine feasibility
contractual obligations The management system elements establish the organization’s
Ensure Audit programme implementation management system disciplines to be audited "process approach”is a requirement for all ISO management system standards
sufficient and appropriate information for planning and conducting the audit structure, roles and responsibilities, planning, operation, policies,
in accordance with ISO/IEC Directives, Part 1, Annex SL
practices, rules, beliefs, objectives and processes to achieve
3.8 objective evidence Audit programme objectives should be consistent with the audit client’s strategic direction and support management system policy and objectives complexity and processes of the management system those objectives.
adequate cooperation from the auditee auditing a management system is auditing org processes and interrelations
data supporting the existence or verity of something Consideration for deciding Objectives types and levels of risks and opportunities addressed by The scope of a management system can include the whole of
adequate time and resources for conducting the audit the management system When activities are understood and managed as interrelated processes within a
the organization, specific and identified functions of the
should be verifiable needs and expectations of relevant interested parties organization, specific and identified sections of the coherent system, it ensures harmonious work and the results will become
Resources include access to adequate and appropriate ICT. objectives and extent of the audit programme organization, or one or more functions across a group of consistent and predictable
3.9 audit evidence characteristics of and requirements for processes, products, services and projects, and any changes organizations.
Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the auditee uncertainty in achieving audit objectives A.3 Professional judgement
records, statements of fact or other information, management system requirements An effect is a deviation from the expected – positive or negative
which are relevant to the audit criteria (3.7) and 6.3 Preparing audit activities auditors should use professional judgement rather than getting into specifics of
additional requirements imposed by client, interested parties
Uncertainty is the state, even partial, of deficiency of information clause if the management system is achieving the intented result
need for evaluation of external providers
verifiable 6.3.1 Performing review of documented information related to, understanding or knowledge of, an event, its
This information should be matched against that listed in 7.2.3
consequence and likelihood. In situations where certain clauses do not lend themselves to straightforward audits,
auditee’s level of performance
3.10 audit findings auditors' expertise and judgment become even more valuable.
To carry out 7.2.2 Personal behaviour
Risk is often characterized by reference to potential events (as
level of maturity of the management system(s)
results of the evaluation of the collected audit defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as They can interpret the requirements in the context of the organization's unique
gather information to understand the auditee's operations Auditors should possess the necessary attributes to enable them to act in accordance with
evidence (3.9) against audit criteria defined in ISO Guide 73:2009, 3.6.1.3), or a combination of processes and determine whether the spirit of the standard is being upheld.
identified risks and opportunities to the auditee the principles of auditing as described in Clause 4.
these.
prepare audit activities
indicate conformity (3.20) or nonconformity (3.21) A.4 Performance results
results of previous audits exhibit professional behaviour during performance of audit activities
Risk is often expressed in terms of a combination of the
prepare applicable audit work documents consequences of an event (including changes in circumstances)
lead to the identification of risks, opportunities for focusing on the intended results of the management system is crucial during the
E.g. of Audit Objectives Desired professional behaviours include : and the associated likelihood (as defined in ISO Guide 73:2009,
improvement audit process
determine possible conformity to the audit criteria 3.6.1.1) of occurrence.

identify opportunities for the improvement ethicali.e. fair, truthful, sincere, honest and discreet
audit finding is termed compliance or non-compliance ultimate goal is to ensure that the management system is delivering the desired
detect possible areas of concern, such as deficiencies, omissions or conflicts An effect is a deviation from the expected – positive or negative
outcomes and performing effectively
evaluate the capability of the auditee to determine its context open-mindedi.e. willing to consider alternative ideas or points
3.11 audit conclusion
Documented Information to include of view Uncertainty is the state, even partial, of deficiency of information
level of integration of different management systems and their intended results is
related to, understanding or knowledge of, an event, its
evaluate the capability of the auditee to determine risks and opportunities and to identify and also key
outcome of an audit (3.1), after consideration of the consequence and likelihood.
implement effective actions to address them management system documents diplomatic i.e. tactful in dealing with individuals
audit objectives and all audit findings (3.10)
process/document importance in terms of risk varies from org to org and in some it
observanti.e. actively observing physical surroundings and activities Risk is often characterized by reference to potential events (as
conform to all relevant requirements for certification to a management system standard records need not be required
3.16 technical expert defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as
defined in ISO Guide 73:2009, 3.6.1.3), or a combination of
obtain and maintain confidence in the capability of an external provider previous audit reports perceptivei.e. aware of and able to understand situations A.5 Verifying information
person who provides specific knowledge these.

determine the continuing suitability, adequacy and effectiveness of the auditee’s management system Considerations in Review versatile/adaptablei.e. able to readily adapt to different situations auditors need to ensure that the information they review provides sufficient objective
does not act as an auditor Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) evidence to demonstrate that requirements are being met

Compatability of management systems with strategic directions of organisation context of the auditee's organization tenaciousi.e. persistent and focused on achieving objectives and the associated likelihood (as defined in ISO Guide 73:2009,
3.18 management system
3.6.1.1) of occurrence. considerations for meeting requirement :

5.3 Determining and evaluating audit programme risks and size decisivei.e. able to reach timely conclusions based on logical reasoning and analysis
interrelated or interacting elements of an organization to establish policies and objectives,
opportunities “Generally implied” means that it is custom or common practice complete (all expected content is contained in the
and processes to achieve objective
self-relianti.e. able to act and function independently while interacting effectively with for the organization and interested parties that the need or documented information)
nature and complexity
others expectation under consideration is implied.
related to the context of the auditee
single discipline or several disciplines
risks and opportunities correct (the content conforms to other reliable
able to act with fortitudei.e. able to act responsibly and ethically, even though these A specified requirement is one that is stated, for example in sources such as standards and regulations)
Individuals managing audit programme to identify and present risk and opportunities
e.g. quality management, financial management documented information.
considered for audit pgme development and the resources required actions may not always be popular and may sometimes result in disagreement or
audit scope
confrontation consistent (the documented information is consistent
MS elements establish the organization’s Performance can relate either to quantitative or qualitative in itself and with related documents)
Associated Risks for Audit programme audit criteria
open to improvementi.e. willing to learn from situations findings.
structure current (the content is up to date)
planning audit objectives
culturally sensitivei.e. observant and respectful to the culture of the auditee Performance can relate to the management of activities,
roles and responsibilities processes (3.24), products, services, systems or organizations.
integrity of evidence needs to be checked if provided info in a manner other than
resources 6.3.2 Audit Planning
collaborativei.e. effectively interacting with others, including audit team members and the expected
planning auditee’s personnel In certain cases, depending on the auditee's structure or its
selection of the audit team 6.3.2.1 Risk-based approach to planning activities, the audit programme might only consist of a single
due to regulations on protection of data, specific care for security of info other than that
audit (e.g. a small project or organization).
operation 7.2.3 Knowledge and skills in scope but supporting
communication TL should plan audit based on info from audit programme and
documented info by auditee using Risk-based approach Clause 7 contains guidance on determining the competence
policies 7.2.3.1 General (should possess) : A.6 Sampling
implementation required for the audit team members and describes the
Considers for audit planning processes for evaluating auditors.
practices knowledge and skills necessary to achieve the intended results A.6.1 General
control of documented information
risks of audit activity to the auditee's process Resources include access to adequate and appropriate
rules generic competence information and communication technology. done when not practical or cost effective to examine all available info
monitoring, reviewing and improving the audit programme
provide basis for aggrement between client, auditor and auditee
beliefs a level of discipline Guidance on how to verify information is provided in A.5. objective - get confidence that the audit objectives can or will be achieved
availability and cooperation of auditee
Planning to facilitate effective scheduling and coordination of audit activities to achive objective
objectives sector-specific knowledge and skills Guidance on preparing audit work documents is given in A.13. Risk :
availability of evidence to be sampled
Audit plan details should cover
processes to achieve those objectives TL to have additional knowledge and skills to provide leadership Guidance on sampling is given in A.6 may not be representative of the population selected from
Opportunities for improving the audit programme
scope
scope of MS can include 7.2.3.2 Generic knowledge and skills of management Guidance on selecting sources of information and observation sampling deviation or variability within population
allowing multiple audits
system auditors is given in A.14.
complexity of audit
whole of the organization
minimizing time and distances travelling to site (should have knowleged and skills in following areas)
Guidance on visiting the auditee’s location is given in A.15
risk of not achieving audit objectives
specific and identified functions of the organization
Audit team competence to achieve the audit objectives Audit principles, processes and methods
Guidance on conducting interviews is given in A.17
Considers for planning by TL :
specific and identified sections of the organization
aligning audit dates with the availability of auditee’s key staff enable to ensure audits are performed in a consistent and
Additional guidance on the identification and evaluation of audit
team composition and overall competence systematic manner
one or more functions across a group of findings is given in A.18
5.4 Establishing the audit programme
organizations
appropriate sampleing techniques understand the types of risks and opportunities
Conformity or nonconformity with audit criteria related to
5.4.1 Roles and responsibilities of the individual(s) associated with auditing
3.19 risk statutory or regulatory requirements or other requirements, is
managing the audit programme opportunities to improve the effectiveness and efficiency of the audit activities sometimes referred to as compliance or non-compliance.
principles of the risk-based approach to auditing
effect of uncertainty
Establish audit programme as per relevant objective and any constraints risk of ineffective audit planning in achieveing the objective Awareness of statutory and regulatory requirements does not
plan and organize the work effectively imply legal expertise and a management system audit should
An effect is a deviation from the expected – positive chances of result to be biased, compared to when whole population is
Integrate the following determination process in all relevant auditing activities risk to auditee created by performing the audit not be treated as a legal compliance audit.
or negative. examined
perform the audit within the agreed time schedule
external and internal issues health & safety Audits of multiple disciplines done simultaneously can be done
Risk is often expressed in terms of a combination of Steps involved in sampling :
prioritize and focus on matters of significance as a combined audit or as an audit of an integrated
the consequences of an event
management system that covers multiple disciplines
risks and opportunities environment & quality establishing the objectives of sampling
communicate effectively, orally and in writing
(else use interpreters) Successful completion of a training course will depend on the
Implement actions to address the above products, services, personnel or infra
type of course. For courses with an examination component it selecting the extent and composition of the population to be sampled
can mean successfully passing the examination. For other
Audit Team selection Eg :- contamination of clean room collect information
courses, it can mean participating in and completing the course. selecting a sampling method

Selection as per overall competence as per auditing activities In combined audit, particular attention to be given to potential conflicts between management systems be identified and addressed interviewing
Additional information on visiting physical locations is given in determining the sample size to be taken
A.15.
Assign roles, responsibilities, authorities and as per competence 6.3.2.2 Audit planning details listening
conducting the sampling activity

Supporting leadership as appropriate scale and content can change between initial and observing
compiling, evaluating, reporting and documenting results
subsequent as well as internal and external audits
Estb relevant process : reviewing documented information
Considerations for selecting data for sampling :
Should be flexible to changes during progress of audit
coordination and scheduling of all audits activities if necessary records and data
quality of available data to sample

establishment of audit objectives, scope(s) and criteria Addressal / reference for audit planning understand the appropriateness and consequences of
sampling method
using sampling techniques for auditing

determining audit methods and selecting the audit team audit objectives
type of data required
understand and consider technical experts' opinions

evaluating auditors audit scope, along with org functions and process to be audited
Reporting :
audit a process from start to finish, including
audit criteria and referal documented info interrelations
establishment of external and internal communication processes
sample size

location (physical and virtual) verify the relevance and accuracy of collected
resolutions of disputes and handling of complaints
information selection method

audit follow-up if applicable dates

confirm the sufficiency and appropriateness of audit estimates made based on the sample
evidence to support audit findings and conclusions
reporting to the audit client and relevant interested parties expected time
confidence level
assess those factors that may affect the reliability of the
determine and ensure provision of all necessary resources duration
audit findings and conclusions Types :

ensure that appropriate documented information is meeting with auditee's management

document audit activities and audit findings, and judgement-based sampling
prepared and maintained, including audit prepare reports
audit team to familiarize with auditee facilities and processes
statistical sampling
programme records maintain the confidentiality and security of
Audit method, incl sampling information
A.6.2 Judgement-based sampling
monitor, review and improve the audit programme
roles and responsibilities of members Management system standards and other references
relies on the competence and experience of the audit team
communicate the audit programme to the audit client and interested parties
resource allocationbased on risks and opportunities realted to audit activities enable to understand the scope and apply criteria
considerations :
5.4.2 Competence of individual(s) managing audit
programme Audit planning should take into account management system standards or other normative or
previous audit experience within the audit scope
guidance/supporting documents used to establish
Manage audit programme identification of the auditee’s representative audit criteria or methods
complexity of requirements (including statutory and
regulatory) to achieve the objective
Risk and opportunities language - working and reporting application of management system standards by the
auditee and other organizations
complexity and interaction of the organization's
Manage external and internal issues effectively and efficiently audit report topics processes and management system elements
relationships and interactions between the
Knowledge of : management system(s) processes
logistics and communications arrangements degree of change

Audit principles, methods, and processes understanding the importance and priority of multiple
specific actions to be taken to address risks to achieving the audit objectives and opportunities arising technology
standards or references

Management system standards confidentiality and information security

application of standards or references to different human factor
audit situations
Relevant standards any follow-up actions from a previous audit or other source(s) e.g. lessons learned, project reviews management system
The organization and its context
Reference/guidance documents any follow-up activities to the planned audit previously identified significant risks and opportunities
enable to understand the auditee's structure,
Info regarding auditee and context of : coordination in case of joint audit purpose and management practices output from monitoring of management systems

external/internal issues Audit plan should be presented to auditee and any issues to be resolved by TL, auditee and individuals managing needs and expectations of relevant interested parties drawback - no statistical estimate of uncertainty in findings and
that impact the management system conclusions reached
relevant interested parties and needs and expectations 6.3.3 Assigning work to audit team
type of organization, governance, size, structure, A.6.3 Statistical sampling
business activities TL in consultation with memeber should assign following auditing responsibilities : functions and relationships
Statistical sampling plans should align with :
products specific processes general business and management concepts
audit objectives
services and processes actvities processes and related terminology
population characteristics
applicable statutory and regulatory requirements functions or locations planning, budgeting and management of individuals
sample selection process based on probability theory
risk management authority for decision-making cultural and social aspects of the auditee
Types :
project and process management assignments should take into account of following: Applicable statutory and regulatory requirements and
other requirements Attribute-based = Yes/No Pass/Fail (only 2 possible solutions)
information and communications technology (ICT) impartiality
enable to be aware of, and work within, the Variable-based = continuous range
Continuious upskilling organization's requirements
objectivity

5.4.3 Establishing extent of audit programme statutory and regulatory requirements and their
competence of auditor
governing agencies

Managed by individual(s) managind audit programme effective use of resources

basic legal terminology

factors impacting extent : roles and responsibility

contracting and liability

info by auditee's context TL to hold meeting to :

Awareness of statutory and regulatory requirements
The sampling plan should consider if outcomes are
does not imply legal expertise
auditee structure or activities attribute-based or variable-based.
allocate work assignment

management system audit should not be treated as a

may consist of single audit attribute-based for form conformity
decide possible changes legal compliance audit

Additional factors impacting extent : variable-based for incidents

changes can be made during audit progresses to achive the objectives 7.2.3.3 Discipline and sector-specific competence of auditors

objective, scope and duration of each audit Elements that can affect the audit sampling plan
6.3.4 Preparing documented information for audit management system requirements and principles, and their application

number of audits context, size, nature and complexity of the org

team members to prepare document info as per the collected and fundamentals of the discipline(s) and sector(s) related to the management
reviewed info relevant to audit assignments systems standards as applied by the auditee
reporting method number of competent auditors

documented information for the audit can include but is not limited to: methods, techniques, processes and practices to enable the audit team to
if applicable, audit follow up assess conformity frequency of audits

physical or digital checklists

management system standards generate appropriate audit findings and conclusions time of individual audit

audit sampling details

locations, similarities, complexity and importance of audit activities principles, methods and techniques relevant to the discipline and sector to determine and any externally required confidence level

audio visual information evaluate risks and opportunities associated with the audit objectives
factors influencing the effectiveness of the management system occurrence of undesirable and/or unexpected
7.2.3.4 Generic competence of audit team leader events
use of these media should not restrict the extent of audit activities
audit criteria
plan the audit and assign audit tasks according to the specific competence of individual members 5% is the acceptable confidence level is the sampling risk the auditor is willing to
changes can happen die to info collected during audit
accept
statutory and regulatory requirements
Guidance on preparing audit work documents is given in A.13. discuss strategic issues with top management and if they
have considered these issue for risk and opportunities document statistical sampling :
planned arrangements for the relevant management system standard
Retention of documented info prepared or result from audit
develop and maintain a collaborative working relationship among the audit team members population description
previous internal or external audits
Till audit completion or as per audit programme
manage the audit process, including : sampling criteria
management reviews
retention described in 6.6
effective use of resources statistical parameters
results of a previous audit programme review
confidential info collected during audit be to
managing the uncertainty of achieving audit objectives methods used
language, cultural and social issues safeguarded at all times by the team

protecting the health and safety sample size

concerns of interested parties 6.4 Conducting audit activities

ensuring compliance of the auditors with the relevant results

customer complaints 6.4.1 General
health and safety
A.7 Auditing compliance within a management system
non-compliance with statutory and regulatory requirements Normally conducted in defined sequence
ensuring security arrangements
Consider effective process for :
and regulatory requirements
directing the audit team members
identifying its statutory and regulatory requirements
supply chain issues
providing direction and guidance to auditors-in-training
managing following to achieve compliance :
Change in auditee's context, operations, and related risk and opportunities
preventing and resolving conflicts and problems
activities
availability ICT (info and communication tech) to support audit activities. Remote audit in particular
represent the audit team to:
products
occurrence of internal and external events
individuals managing
services
nonconformities of products or service
client
evaluating its compliance status
information security leaks
auditee
audit team should check if the auditee:
health and safety incidents
lead the audit team to reach the audit conclusions
Identifies changes in compliance requirements and
criminal acts
prepare and complete the audit report manages them

environmental incidents
7.2.3.5 Knowledge and skills for auditing multiple disciplines Has competent individuals for compliance processes.

business risks and opportunities, including actions to address them

should have an understanding of the interactions and synergy between the Provides required compliance documentation
different management systems
5.4.4 Determining audit programme resources
Includes compliance in internal audits
TL should have understanding of each management system standards
Considerations :
Addresses non-compliance issues.
Recognise limits of team competence in each discipline
resources needed to develop, manage, and
Reviews compliance performance in management
improve audits - in terms of finance and time
Audit of multiple discipline can be : reviews.

audit methods
Combined audit A.8 Auditing context

Overall competence of auditors and technical experts

or Organizations must determine using strategic analysis and
planning techniques for the following :
extent of the audit programme
sequence may vary to suit curcumstance of audit of integrated management system
context
specific audit
audit programme risks and opportunities
7.2.4 Achieving auditor competence
stakeholder needs
6.4.2 Assigning roles and responsibilities of guides and observers
travel time and cost, accommodation
completing training programmes
internal/external issues
TL/client/auditee should approve guides and observers to accompany
impact of different time zones
experience in a relevant technical, managerial or professional position
auditors should verify that effective processes are in place and used correctly
not to interfere or influence with audit conduct
availability of ICT
exercise of judgement, decision making, problem solving and communication with managers,
professionals, peers, customers and other relevant interested parties consider objective evidence related to the following:
if interference or influence not assured, then TL should have rights to deny observer
availability of required tools, tech, and eqpt
presence in audit activities
education/training and experience in a specific management system discipline and sector process(es) or method(s) used
availability of Documented Info as determined during
For observers, any arrangements for access, health and safety, environmental, security and
audit programme establishment
confidentiality should be managed between the audit client and the auditee audit experience acquired under the supervision of an auditor competent in the same discipline suitability and competence of the individuals
contributing to the process(es)
Requirements realted to :
guide should assist audit team and act on request of TL or auditor to whom they are assigned 7.2.5 Achieving audit team leader competence
Process results
facility
Guide's responsibilities acquired additional audit experience to develop the competence described in 7.2.3.4
Application of results to management system scope
security clearances and development
assist in identifying individuals, time, and location for interview additional experience should be gained by working under different TL

background checks Periodic context reviews

arranging access to specific locations 7.3 Establishing auditor evaluation criteria

personal protective equipment Auditors should have sector-specific knowledge and understand management tools to
ensure rules and risk concerned with specific location are qualitative (during training or workshop exhibit)
judge process effectiveness.
respected and addressed. For
ability to wear clean room attire
desired behaviour
A.9 Auditing leadership and commitment
location access
5.5 Implementing audit programme
knowledge
Management systems standards require top management to show commitment and leadership,
health and safety
5.5.1 General taking accountability for the system's effectiveness and fulfilling responsibilities.
performance of the skills
environmental
implement opertional plan and coordination of activities after estb audit Auditors should gather evidence of top management's involvement and commitment by reviewing
programme and determining necessary resources quantitative relevant processes and interviewing staff.
security

To Do by individuals managing audit: years of work experience Auditors should interview top management to confirm their understanding of relevant issues and
confidentiality organizational context.

communicate audit programme education

witnessing the audit on behalf of the auditee, when appropriate Auditors should assess leadership and commitment at all management levels.

communicate about risk and opportunities number of audits conducted

providing clarification or assisting in collecting information A.10 Auditing risks and opportunities

inform progress to interested parties hours of audit training

6.4.3 Conducting opening meeting An audit can include assessing the organization's risk and opportunity management

establish external and internal communication channels 7.4 Selecting appropriate auditor evaluation method
Purpose : Objectives are to:

define objectives, scope and criteria for each audit Use 2 or more methods from following table:
confirm the agreement of all participants (e.g. auditee, audit team) to the audit plan Ensure credible on the process of risk and opportunity identification

select audit methods

introduce the audit team and their roles Ensure risks and opportunities are identified and managed correctly

coordinate and schedule audits

ensure that all planned audit activities can be performed Review how risks and opportunities are addressed

ensure audit team competence

meeting attendance Auditing risks and opportunities should be part of the entire management system audit, including
interviews with top management.
provide necessary expert and overall resources for audit
auditee's management
Auditors should follow these steps and collect objective evidence :
ensure audit programme followed
individuals incharge of functions and processes to be audited
inputs used by the organization for determining its risks and opportunities
Manage following while deploying:
Q&A opportunity should be provided
analysis of external and internal issues
operational risks
Degree of details by the auditor should be appropriate as per the auditee. Eg less detail in
internal audit and complete details along with process in external audit strategic direction of the organization
opportunities and issues

other than internal meeting may be formal and records of attendance to be retained interested parties and requirements
documented information regarding the auditing activities

Should be chaired by TL discipline-specific management system

define and implement the operational controls for monitoring

Intro of following should be considered Potential risk sources like environmental aspects and
methods outlined represent a range of options and may not apply in all situations
review the audit programme in order to identify opportunities for its improvement
safety hazards
other participants, including observers and guides, interpreters and an outline of their roles
various methods outlined may differ in their reliability
5.5.2 Defining the objectives, scope and criteria for an individual audit
method by which risks and opportunities are evaluated, which can differ between
audit methods to manage risks to the organization resulting from the presence of the audit team members disciplines and sectors
combination of methods should be used to ensure an outcome that is objective, consistent, fair and reliable
should be consistent with overall audit programme

consideration for confirmation of following items : Auditors must use professional judgment to assess how the organization manages risks and
7.5 Conducting auditor evaluation
Objective may include the following opportunities, including acceptable risk levels and controls
audit objectives, scope and criteria
info collected during evalution should be compared with 7.2.3(Knowledge and skills)
determination of the extent of conformity of the management system with audit criteria A.11 Life cycle
audit plan and other relevant arrangements
Auditors failing to fulfil criteria to:
identification of opportunities for potential improvement of the management system Some management systems require a life cycle perspective for products and services.
date and time for the closing meeting
additional training
Evaluation of : Auditors should not consider this as a requirement to adopt a life cycle approach
any interim meetings between the audit team and the auditee's management
work or audit experience should be undertaken
suitability and adequacy of the management system his involves considering the organization's control over stages like :
any change(s) needed
subsequent re-evaluation should be performed
effectiveness of the management system in meeting intended result raw material acquisition
formal communication channels
7.6 Maintaining and improving auditor competence
capability of the management system : design
language to be used
TL and team should continually improve their competence
meeting relevant statutory and regulatory production
requirements
auditee being kept informed of audit progress
maintain their auditing competence by
delivery
establish and achieve objectives
availability of the resources and facilities needed by the audit team
regular participation in management system audits
use
effectively address risks and opportunities in a changing context including implementation of the
confidentiality and information security
related actions continual professional development
end of life treatment
relevant access, health and safety, security, emergency and other arrangements
Scope to be consistent with programme and objectives achieved through
final disposal
activities on site that can impact the conduct of the audit
locations additional work experience
This helps minimize environmental impact and add value
consideration for presentation of info of following items :
functions training
Auditors should judge how the organization applies a life cycle perspective in terms of:
method of reporting audit findings including criteria for grading
activities and processes to be audited private study
Product or service life
conditions under which the audit may be terminated
time period of audit coaching
organization's influence on the supply chain
how to deal with possible findings during the audit
Criteria to include : attendance at meetings
length of the supply chain
any system for feedback from the auditee on the findings or conclusions of the audit, including complaints or appeals
applicable policies seminars and conferences
technological complexity of the product
6.4.4 Communicating during audit
processes individual(s) managing the audit programme should establish suitable
If an organization combines multiple management systems, auditors should check for overlaps in life cycle considerations.
mechanisms for the continual evaluation
necessary formal communication arrangement between
procedures
A.12 Audit of supply chain
continual professional development activities should take into account the following :
team
performance criteria including objectives
audit of the supply chain to specific requirements can be required
changes in the needs of the individual and the organization
auditee responsible for the conduct of the audit
statutory and regulatory requirements
Develop the supplier audit program with criteria for different suppliers and providers
client developments in the practice of auditing including the
management system requirements
use of technology The scope of supply chain audits can vary, such as full management system, single process, product, or configuration audits
eternal interested parties
information regarding the context and the risks and opportunities as determined by the auditee
relevant standards including guidance/supporting A.13 Preparing audit work documents
requirement when statutory and regulatory requirements require mandatory reporting of nonconformities documents and other requirements
sector codes of conduct
Consideration for preparing Audit Work Document questions:
audit team should periodically changes in sector or disciplines
approval of modified audit programme, due to change in objective, scope or criteria, from
Which audit record will be created by using this work document?
interested parties as appropriate
exchange info
Which audit activity is linked to this particular work document?
5.5.3 Selecting and determining audit methods
assess audit progress
Who will be the user of this work document?
Responsibility - individuals managing audit programme
reassign work between team if necessary
What information is needed to prepare this work document?
depending on sefined objectives, scope and criteria
TL should periodically
For combined audits, avoid duplicating activities by:
Audits can be performed on-site, remotely or as a combination
communicate the progress
clustering of similar requirements from different criteria
two or more auditing organizations conduct a joint audit
any significant findings
coordinating the content of related checklists and questionnaires
the individuals managing the different audit programmes should agree on the audit methods
and consider implications for resourcing and planning the audit any concerns to the auditee and audit client
Audit documents should cover all management system elements within the audit scope and can be in any
immediate reporting for evidences posing significant risk to auditee and client(id needed) media.
combined audit if 2 or more management systems

concerns outside audit scope, to be noted and reported to TL for possible communication to client and auditee A.14 Selecting sources of information
5.5.4 Selecting audit team members

for unattainable audit objectives with the available evidence TL should report to client and auditee for appropriate actions Information sources for audits can vary based on scope and complexity and may include:
Responsibility - individuals managing audit programme, including TL and Tech expert

action may include changes to- interviews with employees and other individuals
Audit team should be competent to achieve objective(s) with defined scope
audit planning - audit objectives -
audit scope- termination of the Observations of activities, work environment and
Audit team of only one individual = Audit team leader
audit conditions

Clause 7 contains guidance on determining the competence required for the audit
changes to audit plan becoming apparent audit activities should be reviewed and accepted by individual managaing programme and client documented information, such as
team members and describes the processes for evaluating auditors.
and presented to the auditee
policies
Steps for overall competence of audit team :
6.4.5 Audit information availability and access
objectives
identification of the competence needed to achieve the objectives
audit method choosen depends on :
plans
Selection of team members with necessary competence
objectives
procedures
Consideration for deciding size and competence for specific audit :
scope
standards
overall competence needed to achieve objective, as
criteria
per criteria and with in the scope
instructions
duration
complexity of the audit
licences
info location (physical and virtual location)
audit is a combined or joint audit
permits
when, where and how to access info is crucial to the audit
selected audit methods
specifications
independent of where created, used or stored
avoid conflit of interest by ensuring objectivity and impartiality
drawings
audit can use mixture of audit methods
audit team's effective work and interaction with auditee and
interested parties contracts
audit circumstances may lead to change in audit methods during audit

external/internal issues orders

6.4.6 Reviewing documented information while
conducting audit records, such as
language of the audit

determine the conformity of the system, as far as documented, with audit criteria inspection records
auditee’s social and cultural characteristics

gather information to support the audit activities minutes of meetings

addressed either by the auditor's own skills or by
support of technical expert
Guidance on how to verify information is provided in A.5 audit reports
type and complexity of the processes to be audited
review may be combined with the other audit activities records of monitoring programme
Technical experter can be part of audit team of competent support
not detrimental to the effectiveness of the conduct of the audit results of measurements
Auditor-in-training should particate under direction and guidance of auditor
If adequate documented info cannot be provided within the data summaries, analyses and performance indicators
time frame in the audit plan,
Change in audit team composition :
Information on sampling plans, control procedures and measurement processes
TL should info individual managing audit programme and auditee
Conflict of interest
reports from other sources+
decision should be made for audit to continue or suspend
competence issue
until documented info concern is resolved
customer feedback
resolve with appropriate parties before any changes are made
6.4.7 Collecting and verifying information
external surveys and measurements
5.5.5 Assigning responsibility for an individual audit to
relevant info shoudl be collected by means of sampling and should be
the audit team leader relevant information from external parties
verified. This info can be relevant to :

Responsibilty - TL, as should be assigne by indls of audit pgme external provider ratings
objective

assign well before time for effective planning of audit databases and websites
scope

Info to be provided for effective audit : simulation and modelling

criteria

audit objectives A.15 Visiting the auditee's location

interfaces between functions, activities, and processes

audit criteria and any relevant documented information To minimize interference and ensure safety during an audit visit, consider the following:
Only info which can be subjected to some degree of verification should be accepted as audit evidence

audit scope, along with org functions and process Planning the visit:
for low degree of verification auditor should use professional judgement so see the level if it can be kept as evidence eg :-
interviews, unverified records
audit processes and associated methods Ensure permission and access to relevant areas
Audit evidence leading to audit findings should be recorded.
composition of the audit team Provide auditors with information on security, health,
safety, cultural norms, and working hours
During collection of Objective evidence, if team becomes aware of circumstantial change or risk or opportunities, the team should
Auditee details : address accordingly
Confirm availability of required personal protective
contact equipment (PPE)

locations Confirm arrangements for mobile devices and

cameras, considering security and confidentiality

time frame
Inform personnel about audit objectives and scope
(except for unscheduled audits)
duration of audit activities

On-site activities:
resources necessary
provides an overview of a typical process, from collecting
information to reaching audit conclusions. avoid any unnecessary disturbance of the operational
information needed for evaluating and addressing identified risks and
processes
opportunities to the achievement of the audit objectives

ensure that the audit team is using PPE properly

information supporting TL for effective audit programme

ensure emergency procedures are communicated

additional assignment info :
(e.g. emergency exits, assembly points)

language - working and reporting

schedule communication to minimize disruption

audit report output as required and distribution list

Adjust audit team size and number of guides/
Methods of collecting information include, but are not limited to the following: observers to avoid interference
matters of confidentiality and information security

interviews Do not touch equipment without explicit permission

health, safety and environmental arrangements

observations Review incidents with the auditee and decide on audit

travel or access to remote sites continuation or interrupted or rescheduled

review of documented information

security and authorization requirements Ask for permission before taking document copies
and consider confidentiality
6.4.8 Generating audit findings
any actions to be reviewed, e.g. follow-up actions from a previous audit
Avoid collecting personal information unless required
Audit findings - evidence evaluated against criteria
coordination with other audit activities
Virtual audit activities:
indicates conformity or non-conformity
Agreement among different org conducting audits in a joint audit :
Use agreed remote access protocols and devices
when specified by audit plan, audit findings should include
Priot to audit commence
Ask for permission before taking screenshots and
conformity
specific responsibilities of each party consider confidentiality

good practices
authority of the team leader appointed for the audit Review incidents with the auditee and decide on audit
continuation or interrupted or rescheduled
supporting evidence
5.5.6 Managing audit programme results
Use floor plans/diagrams for reference
opportunities for improvement
Responsibility - individuals managing audit programme
Respect privacy during audit breaks
recommendations to auditee
activities to be performed :
Consider how to dispose of information and audit evidence after retention is no longer needed.
Nonconformities
evaluation of objectives achieved for each audit within a programme
A.16 Auditing virtual activities and locations
Along with their supporting audit evidence should be recorded.
review and approval of audit reports against scope and objective
Virtual audits use online environments to perform work or provide services, regardless of location
can be graded depending on org and it risks
review of the effectiveness of actions taken to address audit findings
Remote audits use technology to gather information and interview auditees when face-to-face methods aren't possible
grade - Quantitative (1-5) or Qualitative (minor, major)
distribution of audit reports
during virtual audits follow standard processes using technology to verify evidence. Ensure:
should be reviewed with auditee to obtain
determination of the necessity for any follow-up audit acknoledgement for accuracy of evidence
Use of agreed remote access protocols and devices

individual managing the programme should consider should be understood by auditee

Technical checks before the audit

communicating audit results and best practices to attempt should be made to resolve any diverging opinions concerning the audit evidence or findings
other areas of the organization Contingency plans for access interruptions and extra audit time

Unresolved issues should be recorded in the audit report.

implications for other processes Auditor competence should include:

audit team should meet to review the audit findings at appropriate stages during the audit.
5.5.7 Managing and maintaining audit programme records Technical skills to use electronic equipment and technology

6.4.9 Determining audit conclusions

individual(s) managing programme are responsible for audit programme Experience in conducting virtual meetings
generation, management and maintenance
6.4.9.1 Preparation for closing meeting (discussions)
During virtual audits, consider:
demonstrated audit programme impelementation
review the audit findings and other info against audit objective
Risks of virtual or remote audits
establish processes to address conf and infosec need of records
agree on the audit conclusions, taking into account the
Using floor plans/diagrams for reference
uncertainty inherent in the audit process
Records can include :
Preventing background noise and interruptions
prepare recommendations, if specified by the audit plan
Records related to the audit programme
Asking permission for screenshots or recordings, considering confidentiality
discuss audit follow-up, as applicable
schedule of audits
Ensuring confidentiality and privacy during breaks
6.4.9.2 Content of audit conclusions
audit programme objectives and extent
A.17 Conducting interviews
address issues as follows
addressing audit programme risks and opportunities,
Interviews are crucial for collecting information and should be adapted to the situation and individual. Auditors
extent of conformity with the audit criteria
relevant external and internal issues should consider:

robustness of the management system

reviews of the audit programme effectiveness Interview individuals from relevant levels and functions within the audit scope

effectiveness of the management system

Records related to each audit Conduct interviews during normal working hours and, if possible, at the interviewee's
workplace
identification of risks and effectiveness of actions
audit plans and audit reports
Make efforts to put the interviewee at ease before and during the interview
effective implementation, maintenance and
objective audit evidence and findings improvement of the management system
Explain the purpose of the interview and note-taking

nonconformity reports achievement of audit objectives, coverage of audit

Start interviews by asking individuals to describe their work
scope and fulfilment of audit criteria
corrections and corrective action reports
Carefully select the type of questions
similar findings in previoud patterns or trends in
audit follow-up reports previous findings
open

Records related to the audit team such as If specified by the audit plan, audit conclusions can lead to
recommendations for improvement, or future auditing activities closed

competence and performance evaluation of the audit team members

6.4.10 Conducting closing meeting leading questions

criteria for the selection of audit teams and team

members and formation of audit teams held to present the audit findings and conclusions appreciative inquiry

maintenance and improvement of competence chaired by the audit team leader Be aware of limited non-verbal communication in virtual settings; focus on question types for
objective evidence

The form and level of detail of the records should demonstrate that the objectives of the audit attended by the management of theauditee and
programme have been achieved. include, as applicable: Summarize and review interview results with the interviewee

5.6 Monitoring audit programme those responsible for the functions or processes which have been audited Thank the interviewees for their participation and cooperation

individual(s) managing the audit programme should ensure the evaluation of : the audit client A.18 Auditfindings

schedules are being met other members of the audit team A.18.1 Determining audit findings

audit programme objectives are being achieved relevant interested parties as determined by the audit client and/or auditee When determining audit findings, consider:

performance of the audit team members TL should advise the auditee of situations encountered resulting in decreased confidence in audit conclusions Follow-up on previous audit records and conclusions

ability of the audit teams to implement the audit plan Time frame for an action plan to address audit findings Audit client requirements
should be agreed by participants:
Feedback from Accuracy, sufficiency, and appropriateness of evidence
defined in the management system
audit clients Realization of extent to which planned audit activities and results achieved
agreement with the audit client
auditees Findings exceeding normal practice or improvement opportunities
degree of detail should take into account the effectiveness of the
auditors management system to achieve : Sample size

technical experts auditee's objectives Categorization of audit findings (if any)

relevant parties consideration of its context A.18.2 Recording conformities

sufficiency and adequacy of documented information in the whole audit process risks and opportunities For records of conformity, consider:

Factor indicating need for change in audit programme : familiarity of the auditee with the audit process should also be taken into consideration during the closing meeting Description or reference to audit criteria

audit findings For some audit situations it can be : Evidence supporting conformity and effectiveness

demonstrated level of auditee’s management system effectiveness and maturity formal and minutes Declaration of conformity

effectiveness of the audit programme records attendance A.18.3 Recording nonconformities

audit scope or audit programme scope For internal it can be less formal and only finding and conclusions can be shared : For records of nonconformity, consider:

the auditee’s management system As applicable following should be explained to auditee : Description or reference to audit criteria

standards, and other requirements to which the organization is committed method of reporting Audit evidence

external providers audit evidence is based on sampling and need not represent Declaration of nonconformity
that auditee's process is effective

identified conflicts of interest Related audit findings

how the audit finding should be addressed based on the agreed process

the audit client’s requirements A.18.4 Dealing withfindings related tomultiple criteria
possible consequences of not adequately addressing the audit findings

5.7 Reviewing and improving audit programme Auditors may find issues related to multiple criteria. They should consider the
findings and conclusions to be understood by all same criteria and the impact on other management systems.

Responsibility
any related post-audit activities Eg :- appeal process, Auditors may raise:
audit complaints
Individual managing audit programme
Separate findings for each criterion
Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee should be
Audit client
discussed and, if possible, resolved. If not resolved, this should be recorded.
or

review audit programme to assess whether objectives are achieved

If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be
a single finding, combining the references to multiple
emphasized that recommendations are not binding.
criteria
leason learnt from programme review should be input for imrpovement

6.5 Preparing and distributing audit report

Auditors may guide the auditee on how to respond to findings, depending on arrangements with client
Ensure following by the individuals managing programme :

6.5.1 Preparing audit report

review of the overall implementation of the audit programme

TL should report conclusions in accordance with programme

identification of areas and opportunities for improvement

report - complete, accurate, concise and clear record of audit

application of changes to the audit programme if necessary

Should Include or refer to the following :

review of the continual professional development of auditors, in accordance with 7.6

objectives
reporting of the results of the audit programme and review with all relevant

scope
audit programme review should consider the following:

criteria
results and trends from audit programme monitoring

identification of the organization (the auditee)

conformity with audit programme processes and
relevant documented information
functions or processes audited

evolving needs and expectations of relevant interested parties

identification of the audit client

audit programme records

identification of audit team and auditee's participants in the audit

alternative or new auditing methods

dates and locations of audit activities

alternative or new methods to evaluate auditors

audit findings and related evidence

confidentiality and information security issues relating

a statement on the degree to which the audit criteria have been fulfilled
to the audit programme

any unresolved diverging opinions between the audit team and the auditee
effectiveness of the actions to address the risks and
opportunities
audits by nature are a sampling exercise, hence risk of evidence may be representative

internal and external issues

can also include or refer to the following :

associated with the audit programme

audit plan including time schedule

summary of the audit process

obstacles encountered decreasing reliability of audit conclusions

confirmation that the audit objectives have been achieved within the audit scope in
accordance with the audit plan

any areas of scope no covered with related justifications due to :

resources

unavailability of evidence

confidentiality

summary covering the audit conclusions and the main audit findings that support them

good practices identified

agreed action plan follow-up

a statement of the confidential nature of the contents

any implications for the audit programme or subsequent audits

6.5.2 Distributing audit report

issued within an agreed period of time

if delayed, reason should be communicated to auditee and individuals managing

report should be dated and reviewed and accepted

relevant interested parties as defined in the audit programme or audit plan

measures to ensure confidentiality

6.6 Completing audit

completed :

when all planned audit activities have been carried out

otherwise as agreed with the audit clientEg :- unexpected situation

retention of documented info as per agreement and in accordance with programme

Unless required by law, info cannot be reveled to any party unless explicit approval by client and auditee

if discloure of content of audit document is necessary then client and auditee should be informed

Lessons learned from the audit can identify risks and opportunities for the audit programme and the auditee.

6.7 Conducting audit follow-up

if in any audit outcome there is a need for corrective action or opportunity for improvement following to be done

agreed timeframe for correction be the auditee

keep team and individuals managing about progress

completion and effectiveness of these actions should be verified

This verification may be part of a subsequent audit

Outcomes should be reported to the individual managing the audit programme and reported to the audit client for management review