envelopesupport@pillarassociates.com phone(803) 622-4536

dot do5.5.1 General

Once the audit programme has been established (see 5.4.3) and related resources have been determined (see 5.4.4) it is necessary to implement the operational planning and the coordination of all the activities within the programme. The individual(s) managing the audit programme should: a) communicate the relevant parts of the audit programme, including the risks and opportunities involved, to relevant interested parties and inform them periodically of its progress, using established external and internal communication channels; b) define objectives, scope and criteria for each individual audit; c) select audit methods (see A.1); d) coordinate and schedule audits and other activities relevant to the audit programme; e) ensure the audit teams have the necessary competence (see 5.5.4);
f) provide necessary individual and overall resources to the audit teams (see 5.4.4); g) ensure the conduct of audits in accordance with the audit programme, managing all operational risks, opportunities and issues (i.e. unexpected events), as they arise during the deployment of the programme; h) ensure relevant documented information regarding the auditing activities is properly managed and maintained (see 5.5.7); i) define and implement the operational controls (see 5.6) necessary for audit programme monitoring; j) review the audit programme in order to identify opportunities for its improvement (see 5.7).

5.5.2 Defining the objectives, scope and criteria for an individual audit

Each individual audit should be based on defined audit objectives, scope and criteria. These should be consistent with the overall audit programme objectives. The audit objectives define what is to be accomplished by the individual audit and may include the following: a) determination of the extent of conformity of the management system to be audited, or parts of it, with audit criteria; b) evaluation of the capability of the management system to assist the organization in meeting relevant statutory and regulatory requirements and other requirements to which the organization is committed; c) evaluation of the effectiveness of the management system in meeting its intended results; d) identification of opportunities for potential improvement of the management system; e) evaluation of the suitability and adequacy of the management system with respect to the context and strategic direction of the auditee; f) evaluation of the capability of the management system to establish and achieve objectives and effectively address risks and opportunities, in a changing context, including the implementation of the related actions. The audit scope should be consistent with the audit programme and audit objectives. It includes such factors as locations, functions, activities and processes to be audited, as well as the time period covered by the audit. The audit criteria are used as a reference against which conformity is determined. These may include one or more of the following: applicable policies, processes, procedures, performance criteria including objectives, statutory and regulatory requirements, management system requirements, information regarding the context and the risks and opportunities as determined by the auditee (including relevant external/internal interested parties requirements), sector codes of conduct or other planned arrangements. In the event of any changes to the audit objectives, scope or criteria, the audit programme should be modified if necessary and communicated to interested parties, for approval if appropriate. When more than one discipline is being audited at the same time it is important that the audit objectives, scope and criteria are consistent with the relevant audit programmes for each discipline. Some disciplines can have a scope that reflects the whole organization and others can have a scope that reflects a subset of the whole organization.


5.5.3 Selecting and determining audit methods

The individual(s) managing the audit programme should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope and criteria. Audits can be performed on-site, remotely or as a combination. The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities. Where two or more auditing organizations conduct a joint audit of the same auditee, the individuals managing the different audit programmes should agree on the audit methods and consider implications for resourcing and planning the audit. If an auditee operates two or more management systems of different disciplines, combined audits may be included in the audit programme.

5.5.4 Selecting audit team members

The individual(s) managing the audit programme should appoint the members of the audit team, including the team leader and any technical experts needed for the specific audit. An audit team should be selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope. If there is only one auditor, the auditor should perform all applicable duties of an audit team leader.

NOTE Clause 7 contains guidance on determining the competence required for the audit team members and describes the processes for evaluating auditors. To assure the overall competence of the audit team, the following steps should be performed: — identification of the competence needed to achieve the objectives of the audit; — selection of the audit team members so that the necessary competence is present in the audit team. In deciding the size and composition of the audit team for the specific audit, consideration should be given to the following: a) the overall competence of the audit team needed to achieve audit objectives, taking into account audit scope and criteria; b) complexity of the audit; c) whether the audit is a combined or joint audit; d) the selected audit methods; e) ensuring objectivity and impartiality to avoid any conflict of interest of the audit process; f) the ability of the audit team members to work and interact effectively with the representatives of the auditee and relevant interested parties; g) the relevant external/internal issues, such as the language of the audit, and the auditee’s social and cultural characteristics. These issues may be addressed either by the auditor's own skills or through the support of a technical expert, also considering the need for interpreters; h) type and complexity of the processes to be audited. Where appropriate, the individual(s) managing the audit programme should consult the team leader on the composition of the audit team. If the necessary competence is not covered by the auditors in the audit team, technical experts with additional competence should be made available to support the team. Auditors-in-training may be included in the audit team, but should participate under the direction and guidance of an auditor.

Changes to the composition of the audit team may be necessary during the audit, e.g. if a conflict of interest or competence issue arises. If such a situation arises, it should be resolved with the appropriate parties (e.g. audit team leader, the individual(s) managing the audit programme, audit client or auditee) before any changes are made.

5.5.5 Assigning responsibility for an individual audit to the audit team leader

The individual(s) managing the audit programme should assign the responsibility for conducting the individual audit to an audit team leader. The assignment should be made in sufficient time before the scheduled date of the audit, in order to ensure the effective planning of the audit. To ensure effective conduct of the individual audits, the following information should be provided to the audit team leader: a) audit objectives; b) audit criteria and any relevant documented information; c) audit scope, including identification of the organization and its functions and processes to be audited; d) audit processes and associated methods; e) composition of the audit team; f) contact details of the auditee, the locations, time frame and duration of the audit activities to be conducted; g) resources necessary to conduct the audit; h) information needed for evaluating and addressing identified risks and opportunities to the achievement of the audit objectives; i) information which supports the audit team leader(s) in their interactions with the auditee for the effectiveness of the audit programme. The assignment information should also cover the following, as appropriate: — working and reporting language of the audit where this is different from the language of the auditor or the auditee, or both; — audit reporting output as required and to whom it is to be distributed; — matters related to confidentiality and information security, as required by the audit programme; — any health, safety and environmental arrangements for the auditors; — requirements for travel or access to remote sites; — any security and authorization requirements; — any actions to be reviewed, e.g. follow-up actions from a previous audit; — coordination with other audit activities, e.g. when different teams are auditing similar or related processes at different locations or in the case of a joint audit. Where a joint audit is conducted, it is important to reach agreement among the organizations conducting the audits, before the audit commences, on the specific responsibilities of each party, particularly with regard to the authority of the team leader appointed for the audit.

5.5.6 Managing audit programme results

The individual(s) managing the audit programme should ensure that the following activities are performed: a) evaluation of the achievement of the objectives for each audit within the audit programme; b) review and approval of audit reports regarding the fulfilment of the audit scope and objectives; c) review of the effectiveness of actions taken to address audit findings; d) distribution of audit reports to relevant interested parties; e) determination of the necessity for any follow-up audit. The individual managing the audit programme should consider, where appropriate: — communicating audit results and best practices to other areas of the organization, and — the implications for other processes.

5.5.7 Managing and maintaining audit programme records

The individual(s) managing the audit programme should ensure that audit records are generated, managed and maintained to demonstrate the implementation of the audit programme. Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed. Records can include the following: a) Records related to the audit programme, such as: — schedule of audits; — audit programme objectives and extent; — those addressing audit programme risks and opportunities, and relevant external and internal issues; — reviews of the audit programme effectiveness. b) Records related to each audit, such as: — audit plans and audit reports; — objective audit evidence and findings; — nonconformity reports; — corrections and corrective action reports; — audit follow-up reports. c) Records related to the audit team covering topics such as: — competence and performance evaluation of the audit team members; — criteria for the selection of audit teams and team members and formation of audit teams; — maintenance and improvement of competence. The form and level of detail of the records should demonstrate that the objectives of the audit programme have been achieved.


Return to the ISO 19011 PDCA Audit Process Diagram


Contact Pillar Management Associates

Consulting Locations

Register for Training Class By City