envelopesupport@pillarassociates.com phone(803) 622-4536

5.1 In general an audit program should be established which can include audits addressing one or more management system standards or other requirements, conducted either separately or in combination (combined audit).

The extent of an audit program should be based on the size and nature of the auditee, as well as on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management system(s) to be audited.

The functionality of the management system can be even more complex when most of the important functions are outsourced and managed under the leadership of other organizations. Particular attention needs to be paid to where the most important decisions are made and what constitutes the top management of the management system.

In the case of multiple locations/sites (e.g. different countries), or where important functions are outsourced and managed under the leadership of another organization, particular attention should be paid to the design, planning and validation of the audit program.

In the case of smaller or less complex organizations the audit program can be scaled appropriately.

In order to understand the context of the auditee, the audit program should take into account the auditee’s:

  • organizational objectives;
  • relevant external and internal issues;
  • the needs and expectations of relevant interested parties;
  • information security and confidentiality requirements.


The planning of internal audit programs and, in some cases programs for auditing external providers, can be arranged to contribute to other objectives of the organization.

The individual(s) managing the audit program should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit.

Audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.

Competent individuals should be assigned to manage the audit program.

The audit program should include information and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames. The information should include:

a) objectives for the audit program;
b) risks and opportunities associated with the audit program (see 5.3) and the actions to address them;
c) scope (extent, boundaries, locations) of each audit within the audit program;
d) schedule (number/duration/frequency) of the audits;
e) audit types, such as internal or external;
f) audit criteria;
g) audit methods to be employed;
h) criteria for selecting audit team members;
i) relevant documented information.

Some of this information may not be available until more detailed audit planning is complete.

The implementation of the audit program should be monitored and measured on an ongoing basis (see 5.6) to ensure its objectives have been achieved. The audit program should be reviewed in order to identify needs for changes and possible opportunities for improvements (see 5.7).


Contact Pillar Management Associates

Consulting Locations

Register for Training Class By City