6.5.1 Preparing audit report
The audit team leader should report the audit conclusions in accordance with the audit program. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include or refer to the following:
a) audit objectives;
b) audit scope, particularly identification of the organization (the auditee) and the functions or processes audited;
c) identification of the audit client;
d) identification of audit team and auditee’s participants in the audit;
e) dates and locations where the audit activities were conducted;
f) audit criteria;
g) audit findings and related evidence;
h) audit conclusions;
i) a statement on the degree to which the audit criteria have been fulfilled;
j) any unresolved diverging opinions between the audit team and the auditee;
k) audits by nature are a sampling exercise; as such there is a risk that the audit evidence examined is not representative.
The audit report can also include or refer to the following, as appropriate:
— the audit plan including time schedule;
— a summary of the audit process, including any obstacles encountered that may decrease the reliability of the audit conclusions;
— confirmation that the audit objectives have been achieved within the audit scope in accordance with the audit plan;
— any areas within the audit scope not covered including any issues of availability of evidence, resources or confidentiality, with related justifications;
— a summary covering the audit conclusions and the main audit findings that support them;
— good practices identified;
— agreed action plan follow-up, if any;
— a statement of the confidential nature of the contents;
— any implications for the audit program or subsequent audits.
6.5.2 Distributing audit report
The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be communicated to the auditee and the individual(s) managing the audit program. The audit report should be dated, reviewed and accepted, as appropriate, in accordance with the audit program.
The audit report should then be distributed to the relevant interested parties defined in the audit program or audit plan. When distributing the audit report, appropriate measures to ensure confidentiality should be considered.
Return to the ISO 19011 PDCA Audit Process Diagram