ISO 19011 : 2018 GUIDELINES

FOR AUDITING
1
MANAGEMENT SYSTEMS
Steps to Develop Audit Program (5)

1) Establish Audit Program Objectives

i. Define objectives of audit program (needs: risks/opportunity, evaluation, previous audit result)
2) Determine and Evaluating Audit Program Risks and Opportunities
i. Identify risks -> planning, resources, audit team, communication, implementation, etc
ii. Identify opportunity -> allowing multiple audits to be conducted in a single visit, minimizing time and distances travelling to
site
3) Establish Audit Program
i. Roles and responsibilities of the individual(s) managing the audit program
a) ensuring the selection of audit teams
b) determine the external and internal issues, and risks and opportunities
c) monitor, review and improve the audit program
ii. Competence of individual(s) managing audit program
a) audit principles, methods and processes
b) management system standards and other relevant standards
c) information regarding the auditee and its context
Steps to Develop Audit Program (5) (Cont.)

iii. Establish extend of Audit Program

a) Scope, depth, and detail of the audit activities and procedures that need to be performed to achieve the audit objectives
iv. Determine Audit Program Resources
b) Consider: Audit methods, financial, time, availability of auditors, etc
4) Implementing Audit Program
i. Define objectives, scope, and criteria for an individual audit
a) Consistent with the relevant audit programs for each discipline
ii. Selecting and determining audit methods
b) Determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope
and criteria
iii. Selecting audit team members
a) Identification of the competence
iv. Assigning responsibility for an individual audit to audit team leader
a) Should be made in sufficient time before the scheduled date of the audit
Steps to Develop Audit Program (5) (Cont.)

v. Managing audit program results

a) Evaluating of the achievement of the objectives for each audit within the program
b) Communicating audit results and best practices to other areas of the organization and the implications for other processes
vi. Managing and maintaining audit program records
a) Records can include -> records related to the audit program (schedule of audits), records related to each audit (audit
plans), records related to the audit team covering topics (competence of team members)
5) Monitoring Audit Program
a) Evaluation of:
i. Schedules are being met and audit program objectives are achieved
ii. Performance of the team leader and team members
iii. Ability of the audit teams to implement the audit plan
iv. Feedback from auditee
v. Sufficiency and adequacy of documented information during audit process
Steps to Develop Audit Program (5) (Cont.)

6) Reviewing and Improving Audit Program

a) Ensure:
i. Review overall implementation of audit program
ii. Identification of areas and opportunities for improvement
iii. Application to changes to audit program
iv. Review professional development of auditors
v. Report of audit program result and review with interested parties
Steps to Develop Audit Plan (6.3)

1) Perform review of documented information

a) Gather information and to understand the auditee’s operation
2) Audit Planning
a) Risk based approach to planning
i. Conduct risk assessment
b) Should consider:
i. Composition and competence of audit team
ii. Sampling techniques
iii. Opportunities to improve the effectiveness and efficiency of the audit activities
iv. The risks to achieving the audit objectives created by ineffective audit planning
v. The risks to the auditee created by performing the audit
Steps to Develop Audit Plan (6.3) (Cont.)

3) Audit Planning Details

a) The audit objectives;
b) The audit scope
c) The audit criteria and any reference documented information;
d) The locations (physical and virtual), dates, expected time and duration
e) The need for the audit team to familiarize themselves with auditee’s facilities and processes
f) The audit methods to be used
g) The roles and responsibilities of the audit team members
h) The allocation of appropriate resources based upon consideration of the risks and opportunities
4) Assign Work to Audit Team
a) Assign roles and responsibility to audit team for audit activities
5) Preparing Documented Information for Audit
a) Collect and review the information related to the audit activities (Audit Checklist)
Steps to Conduct Audit Activities (6.4)

1) Assign roles and responsibility to guides and observers

a) The team leader defines the power for guides and observers, ensuring they cannot interrupt the audit activities
2) Conduct Opening Meeting
a) The purposes are to confirm the auditee of agreement with audit plan, introduce audit team and the roles, ensure that all planned
activities can be performed
3) Communicating during audit
a) Team leader should communicate with the auditee about the audit progress (findings, concerns) during the audit activities
4) Audit information availability and access
a) Audit team should know where the information located based on the audit methodology
5) Reviewing documented information while conducting audit
a) Purpose of reviewing auditee’s documented information is to determine the conformity and gather information
6) Collecting and verifying information
a) Methods of collecting data: observations, interviews, and review of documented information
b) Record the evidence leading to audit findings
Steps to Conduct Audit Activities (6.4) (Cont.)

7) Generate Audit Findings

a) Using audit criteria to determine audit findings (qualitative major/minor/etc & quantitative 1-5)
8) Determining Audit Conclusions
a) Preparation of Closing Meeting-> review audit findings against the audit objectives, prepare recommendations,
discuss follow up audit, agree on audit conclusion
b) Content of audit conclusions -> must include: extend the conformity and the robustness; effective
implementation, maintenance, and improvement; achievement of audit objectives, similar findings in previous
audit
c) Conducting closing meeting -> advising the audit evidence collected based on the sample available information,
method of reporting, how the audit finding should be addressed, possible consequences of not fulfilling the audit
findings, and post audit activities (corrective action, audit complaints, etc)
Steps to Report Findings (6.5)

1) Preparing Audit Report

a) Should include;
a) Audit Objectives
b) Audit Scope
c) Identification of audit client
d) Identification of audit team and auditee’s participant
e) Dates and locations
f) Audit Criteria
g) Audit Findings and related evidence
h) Audit Conclusions
i) A statement on the degree to which the audit criteria have been fulfilled
j) Any unresolved diverging opinions between audit team and the auditee
k) Audits by nature are a sampling exercise; as such there is a risk that the audit evidence examined is not representative
Steps to Report Findings (6.5) (Cont.)

2) Distributing Audit Report

1) Should be dated, reviewed, and accepted in accordance with the audit program
2) Should be distributed to the relevant interested parties defined in the audit program
3) Ensure the confidentiality