envelopesupport@pillarassociates.com phone(803) 622-4536

dot plan5.4.1 Roles and responsibilities of the individual(s) managing the audit programme

The individual(s) managing the audit programme should:

a) establish the extent of the audit programme according to the relevant objectives (see 5.2) and any known constraints;
b) determine the external and internal issues, and risks and opportunities that can affect the audit programme, and implement actions to address them, integrating these actions in all relevant auditing activities, as appropriate;
c) ensuring the selection of audit teams and the overall competence for the auditing activities by assigning roles, responsibilities and authorities, and supporting leadership, as appropriate;
d) establish all relevant processes including processes for:
— the coordination and scheduling of all audits within the audit programme;
— the establishment of audit objectives, scope(s) and criteria of the audits, determining audit methods and selecting the audit team;
— evaluating auditors;
— the establishment of external and internal communication processes, as appropriate;
— the resolutions of disputes and handling of complaints;
— audit follow-up if applicable;
— reporting to the audit client and relevant interested parties, as appropriate.
e) determine and ensure provision of all necessary resources;
f) ensure that appropriate documented information is prepared and maintained, including audit programme records;
g) monitor, review and improve the audit programme; h) communicate the audit programme to the audit client and, as appropriate, relevant interested parties.

The individual(s) managing the audit programme should request its approval by the audit client.

5.4.2 Competence of individual(s) managing audit programme

The individual(s) managing the audit programme should have the necessary competence to manage the programme and its associated risks and opportunities and external and internal issues effectively and efficiently, including knowledge of:
a) audit principles (see Clause 4), methods and processes (see A.1 and A.2);
b) management system standards, other relevant standards and reference/guidance documents;
c) information regarding the auditee and its context (e.g. external/internal issues, relevant interested parties and their needs and expectations, business activities, products, services and processes of the auditee);
d) applicable statutory and regulatory requirements and other requirements relevant to the business activities of the auditee.

As appropriate, knowledge of risk management, project and process management, and information and communications technology (ICT) may be considered.

The individual(s) managing the audit programme should engage in appropriate continual development activities to maintain the necessary competence to manage the audit programme.

5.4.3 Establishing extent of audit programme

The individual(s) managing the audit programme should determine the extent of the audit programme. This can vary depending on the information provided by the auditee regarding its context (see 5.3).

NOTE In certain cases, depending on the auditee's structure or its activities, the audit programme might only consist of a single audit (e.g. a small project or organization).

Other factors impacting the extent of an audit programme can include the following:
a) the objective, scope and duration of each audit and the number of audits to be conducted, reporting method and, if applicable, audit follow up;
b) the management system standards or other applicable criteria;
c) the number, importance, complexity, similarity and locations of the activities to be audited;
d) those factors influencing the effectiveness of the management system;
e) applicable audit criteria, such as planned arrangements for the relevant management system standards, statutory and regulatory requirements and other requirements to which the organization is committed;
f) results of previous internal or external audits and management reviews, if appropriate;
g) results of a previous audit programme review;
h) language, cultural and social issues;
i) the concerns of interested parties, such as customer complaints, non-compliance with statutory and regulatory requirements and other requirements to which the organization is committed, or supply chain issues;
j) significant changes to the auditee’s context or its operations and related risks and opportunities;
k) availability of information and communication technologies to support audit activities, in particular the use of remote audit methods (see A.16);
l) the occurrence of internal and external events, such as nonconformities of products or service, information security leaks, health and safety incidents, criminal acts or environmental incidents;
m) business risks and opportunities, including actions to address them.

5.4.4 Determining audit programme resources

When determining resources for the audit programme, the individual(s) managing the audit programme should consider:
a) the financial and time resources necessary to develop, implement, manage and improve audit activities;
b) audit methods (see A.1);
c) the individual and overall availability of auditors and technical experts having competence appropriate to the particular audit programme objectives;
d) the extent of the audit programme (see 5.4.3) and audit programme risks and opportunities (see 5.3);
e) travel time and cost, accommodation and other auditing needs;
f) the impact of different time zones;
g) the availability of information and communication technologies (e.g. technical resources required to set up a remote audit using technologies that support remote collaboration);
h) the availability of any tools, technology and equipment required;
i) the availability of necessary documented information, as determined during the establishment of the audit programme (see A.5); j) requirements related to the facility, including any security clearances and equipment (e.g. background checks, personal protective equipment, ability to wear clean room attire).

Return to the ISO 19011 PDCA Audit Process Diagram


Contact Pillar Management Associates

Consulting Locations

Register for Training Class By City