6.4.1 General
Audit activities are normally conducted in a defined sequence. This sequence may be varied to suit the circumstances of specific audits.
6.4.2 Assigning roles and responsibilities of guides and observers
Guides and observers may accompany the audit team with approvals from the audit team leader, audit client and/or auditee, if required. They should not influence or interfere with the conduct of the audit. If this cannot be assured, the audit team leader should have the right to deny observers from being present during certain audit activities. For observers, any arrangements for access, health and safety, environmental, security and confidentiality should be managed between the audit client and the auditee.
Guides, appointed by the auditee, should assist the audit team and act on the request of the audit team leader or the auditor to which they have been assigned. Their responsibilities should include the following:
a) assisting the auditors in identifying individuals to participate in interviews and confirming timings and locations;
b) arranging access to specific locations of the auditee;
c) ensuring that rules concerning location-specific arrangements for access, health and safety, environmental, security, confidentiality and other issues are known and respected by the audit team members and observers and any risks are addressed;
d) witnessing the audit on behalf of the auditee, when appropriate;
e) providing clarification or assisting in collecting information, when needed.
6.4.3 Conducting opening meeting
The purpose of the opening meeting is to:a) confirm the agreement of all participants (e.g. auditee, audit team) to the audit plan;
b) introduce the audit team and their roles;
c) ensure that all planned audit activities can be performed.
An opening meeting should be held with the auditee’s management and, where appropriate, those responsible for the functions or processes to be audited. During the meeting, an opportunity to ask questions should be provided. The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many instances, e.g. internal audits in a small organization, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit. For other audit situations, the meeting may be formal, and records of attendance should be retained. The meeting should be chaired by the audit team leader. Introduction of the following should be considered, as appropriate:
— other participants, including observers and guides, interpreters and an outline of their roles;
— the audit methods to manage risks to the organization which may result from the presence of the audit team members. Confirmation of the following items should be considered, as appropriate:
— the audit objectives, scope and criteria;
— the audit plan and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings between the audit team and the auditee’s management, and any change(s) needed;
— formal communication channels between the audit team and the auditee;
— the language to be used during the audit;
— the auditee being kept informed of audit progress during the audit;
— the availability of the resources and facilities needed by the audit team;
— matters relating to confidentiality and information security;
— relevant access, health and safety, security, emergency and other arrangements for the audit team;
— activities on site that can impact the conduct of the audit.
The presentation of information on the following items should be considered, as appropriate:
— the method of reporting audit findings including criteria for grading, if any;
— conditions under which the audit may be terminated;
— how to deal with possible findings during the audit;
— any system for feedback from the auditee on the findings or conclusions of the audit, including complaints or appeals.
6.4.4 Communicating during audit
During the audit, it may be necessary to make formal arrangements for communication within the audit team, as well as with the auditee, the audit client and potentially with external interested parties (e.g. regulators), especially where statutory and regulatory requirements require mandatory reporting of nonconformities. The audit team should confer periodically to exchange information, assess audit progress and reassign work between the audit team members, as needed. During the audit, the audit team leader should periodically communicate the progress, any significant findings and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the auditee and, as appropriate, to the audit client. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the audit client and auditee. Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader should report the reasons to the audit client and the auditee to determine appropriate action. Such action may include changes to audit planning, the audit objectives or audit scope, or termination of the audit. Any need for changes to the audit plan which may become apparent as auditing activities progress should be reviewed and accepted, as appropriate, by both the individual(s) managing the audit program and the audit client and presented to the auditee.
6.4.5 Audit information availability and access
The audit methods chosen for an audit depend on the defined audit objectives, scope and criteria, as well as duration and location. The location is where the information needed for the specific audit activity is available to the audit team. This may include physical and virtual locations. Where, when and how to access audit information is crucial to the audit. This is independent of where the information is created, used and/or stored. Based on these issues, the audit methods need to be determined (see Table A.1). The audit can use a mixture of methods. Also, audit circumstances may mean that the methods need to change during the audit.
6.4.6 Reviewing documented information while conducting audit
The auditee’s relevant documented information should be reviewed to: — determine the conformity of the system, as far as documented, with audit criteria; — gather information to support the audit activities.
The review may be combined with the other audit activities and may continue throughout the audit, providing this is not detrimental to the effectiveness of the conduct of the audit. If adequate documented information cannot be provided within the time frame given in the audit plan, the audit team leader should inform both the individual(s) managing the audit program and the auditee. Depending on the audit objectives and scope, a decision should be made as to whether the audit should be continued or suspended until documented information concerns are resolved.
6.4.7 Collecting and verifying information
During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes should be collected by means of appropriate sampling and should be verified, as far as practicable.
NOTE 1 For verifying information see A.5.
NOTE 2 Guidance on sampling is given in A.6.
Only information that can be subject to some degree of verification should be accepted as audit evidence. Where the degree of verification is low the auditor should use their professional judgement to determine the degree of reliance that can be placed on it as evidence. Audit evidence leading to audit findings should be recorded. If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team accordingly. Figure 2 provides an overview of a typical process, from collecting information to reaching audit conclusions. .
Methods of collecting information include, but are not limited to the following:
— interviews;
— observations;
— review of documented information.
NOTE 3 Guidance on selecting sources of information and observation is given in A.14.
NOTE 4 Guidance on visiting the auditee’s location is given in A.15.
NOTE 5 Guidance on conducting interviews is given in A.17.
6.4.8 Generating audit findings
Audit evidence should be evaluated against the audit criteria in order to determine audit findings. Audit findings can indicate conformity or nonconformity with audit criteria. When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee. Nonconformities and their supporting audit evidence should be recorded. Nonconformities can be graded depending on the context of the organization and its risks. This grading can be quantitative (e.g. 1 to 5) and qualitative (e.g. minor, major). They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood. Every attempt should be made to resolve any diverging opinions concerning the audit evidence or findings. Unresolved issues should be recorded in the audit report. The audit team should meet as needed to review the audit findings at appropriate stages during the audit.
NOTE 1 Additional guidance on the identification and evaluation of audit findings is given in A.18.
NOTE 2 Conformity or nonconformity with audit criteria related to statutory or regulatory requirements or other requirements, is sometimes referred to as compliance or non-compliance.
6.4.9 Determining audit conclusions
6.4.9.1 Preparation for closing meeting
The audit team should confer prior to the closing meeting in order to:
a) review the audit findings and any other appropriate information collected during the audit, against the audit objectives;
b) agree on the audit conclusions, taking into account the uncertainty inherent in the audit process;
c) prepare recommendations, if specified by the audit plan; d) discuss audit follow-up, as applicable.
6.4.9.2 Content of audit conclusions
Audit conclusions should address issues such as the following:
a) the extent of conformity with the audit criteria and robustness of the management system, including the effectiveness of the management system in meeting the intended outcomes, the identification of risks and effectiveness of actions taken by the auditee to address risks;
b) the effective implementation, maintenance and improvement of the management system;
c) achievement of audit objectives, coverage of audit scope and fulfilment of audit criteria;
d) similar findings made in different areas that were audited or from a joint or previous audit for the purpose of identifying trends.
If specified by the audit plan, audit conclusions can lead to recommendations for improvement, or future auditing activities.
6.4.10 Conducting closing meeting
A closing meeting should be held to present the audit findings and conclusions.
The closing meeting should be chaired by the audit team leader and attended by the management of the auditee and include, as applicable:
— those responsible for the functions or processes which have been audited;
— the audit client;
— other members of the audit team;
— other relevant interested parties as determined by the audit client and/or auditee.
If applicable, the audit team leader should advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions. If defined in the management system or by agreement with the audit client, the participants should agree on the time frame for an action plan to address audit findings.
The degree of detail should take into account the effectiveness of the management system in achieving the auditee’s objectives, including consideration of its context and risks and opportunities.
The familiarity of the auditee with the audit process should also be taken into consideration during the closing meeting, to ensure the correct level of detail is provided to participants.
For some audit situations, the meeting can be formal and minutes, including records of attendance, should be kept. In other instances, e.g. internal audits, the closing meeting can be less formal and consist solely of communicating the audit findings and audit conclusions.
As appropriate, the following should be explained to the auditee in the closing meeting:
a) advising that the audit evidence collected was based on a sample of the information available and is not necessarily fully representative of the overall effectiveness of the auditee’s processes;
b) the method of reporting;
c) how the audit finding should be addressed based on the agreed process;
d) possible consequences of not adequately addressing the audit findings;
e) presentation of the audit findings and conclusions in such a manner that they are understood and acknowledged by the auditee’s management;
f) any related post-audit activities (e.g. implementation and review of corrective actions, addressing audit complaints, appeal process).
Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee should be discussed and, if possible, resolved. If not resolved, this should be recorded.
If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding.
Return to the ISO 19011 PDCA Audit Process Diagram