6.3.1 Performing review of documented information The relevant management system documented information of the auditee should be reviewed in order to: — gather information to understand the auditee’s operations and to prepare audit activities and applicable audit work documents (see 6.3.4), e.g. on processes, functions; — establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas of concern, such as deficiencies, omissions or conflicts. The documented information should include, but not be limited to: management system documents and records, as well as previous audit reports. The review should take into account the context of the auditee’s organization, including its size, nature and complexity, and its related risks and opportunities. It should also take into account the audit scope, criteria and objectives.
NOTE Guidance on how to verify information is provided in A.5.
6.3.2 Audit planning
6.3.2.1 Risk-based approach to planning
The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit programme and the documented information provided by the auditee. Audit planning should consider the risks of the audit activities on the auditee’s processes and provide the basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives effectively. The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as the risk of not achieving the audit objectives. In planning the audit, the audit team leader should consider the following: a) the composition of the audit team and its overall competence; b) the appropriate sampling techniques (see A.6); c) opportunities to improve the effectiveness and efficiency of the audit activities;
d) the risks to achieving the audit objectives created by ineffective audit planning; e) the risks to the auditee created by performing the audit. Risks to the auditee can result from the presence of the audit team members adversely influencing the auditee’s arrangements for health and safety, environment and quality, and its products, services, personnel or infrastructure (e.g. contamination in clean room facilities). For combined audits, particular attention should be given to the interactions between operational processes and any competing objectives and priorities of the different management systems.
6.3.2.2 Audit planning details
The scale and content of the audit planning can differ, for example, between initial and subsequent audits, as well as between internal and external audits. Audit planning should be sufficiently flexible to permit changes which can become necessary as the audit activities progress. Audit planning should address or reference the following: a) the audit objectives; b) the audit scope, including identification of the organization and its functions, as well as processes to be audited; c) the audit criteria and any reference documented information; d) the locations (physical and virtual), dates, expected time and duration of audit activities to be conducted, including meetings with the auditee’s management; e) the need for the audit team to familiarize themselves with auditee’s facilities and processes (e.g. by conducting a tour of physical location(s), or reviewing information and communication technology); f) the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient audit evidence; g) the roles and responsibilities of the audit team members, as well as guides and observers or interpreters; h) the allocation of appropriate resources based upon consideration of the risks and opportunities related to the activities that are to be audited. Audit planning should take into account, as appropriate: — identification of the auditee’s representative(s) for the audit; — the working and reporting language of the audit where this is different from the language of the auditor or the auditee or both; — the audit report topics; — logistics and communications arrangements, including specific arrangements for the locations to be audited; — any specific actions to be taken to address risks to achieving the audit objectives and opportunities arising; — matters related to confidentiality and information security; — any follow-up actions from a previous audit or other source(s) e.g. lessons learned, project reviews; — any follow-up activities to the planned audit; — coordination with other audit activities, in case of a joint audit.
Audit plans should be presented to the auditee. Any issues with the audit plans should be resolved between the audit team leader, the auditee and, if necessary, the individual(s) managing the audit programme.
6.3.3 Assigning work to audit team
The audit team leader, in consultation with the audit team, should assign to each team member responsibility for auditing specific processes, activities, functions or locations and, as appropriate, authority for decision-making. Such assignments should take into account the impartiality and objectivity and competence of auditors and the effective use of resources, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Audit team meetings should be held, as appropriate, by the audit team leader in order to allocate work assignments and decide possible changes. Changes to the work assignments can be made as the audit progresses in order to ensure the achievement of the audit objectives.
6.3.4 Preparing documented information for audit
The audit team members should collect and review the information relevant to their audit assignments and prepare documented information for the audit, using any appropriate media. The documented information for the audit can include but is not limited to: a) physical or digital checklists; b) audit sampling details; c) audio visual information. The use of these media should not restrict the extent of audit activities, which can change as a result of information collected during the audit.
NOTE Guidance on preparing audit work documents is given in A.13.
Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as specified in the audit programme. Retention of documented information after audit completion is described in 6.6. Documented information created during the audit process involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members.
Return to the ISO 19011 PDCA Audit Process Diagram
