ISO 19011 Management Systems Audit Checklist

Since the first edition of ISO 19011 was published back in 2002, many new management system standards have been published. This makes the need for a standardized framework for performing management system audits greater than ever before.

ISO 19011 is that framework. The standard outlines a set of guidelines for performing audits on management systems, from management and planning, to the audit process, and carrying out evaluation of auditor competence.

This broader approach to management system audits is designed to streamline the process by recognizing the common structure that many ISO management systems share.

Management system audits can be conducted against a range of audit criteria, including (but not limited to):

• Requirements set of in existing ISO standards
• Policies and requirements defined by customers and stakeholders
• Government policy and similar regulatory requirements
• Documentation of internal management processes (defined by the organization being audited)
• Documentation of internal management system plans and procedures (relating to specific process outputs)

This checklist is designed to simplify the process of planning for and carrying out an audit of a management system. The checklist can be used to adapt the audit programme for the specific requirements of the audit, regardless of the management system type, the scope, complexity, or scale of the audit.

Focus is placed on internal audits (first and second party), however, this checklist can also be useful to prepare for external audits (thought it cannot be used to attain ISO certification).

This checklist is designed as a supplement, and is not intended to replace ISO 19011.

For best results, users are encouraged to edit the checklist and modify the contents to best suit their use cases, as it cannot provide specific guidance on the particular risks and controls applicable to every situation.

Typically, management system auditors will prepare custom checklists that reflect the specific scope, scale, and objectives of the management system being audited.

Audit programme manager details

Audit lead manager details

Certain tasks within this IS0 19011 Management Systems Audit Checklist will require review by the audit lead manager. Fill in the details below for the audit lead manager.

Auditee details

Audit details

Audit programme managers should have complete knowledge of:

In order to understand the context of the auditee, the audit programme should take into account the auditee’s:

The audit programme should include information about and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames.

The information should include:

Some of this information may not be available until more detailed audit planning is complete.

Record the context of the audit programme in the form field below.

The auditee must make sure that audit programme objectives are established to allow for planning and conducting of the audit to take place.

These objectives should be consistent with the auditee’s broader business goals and support their primary management system strategies and objectives.

Audit programme objectives might be based on:

Some examples of how the final objectives might look:

• Gain evidence to assure confidence in an external provider/partner
• Conform to all outstanding regulatory requirements
• Evaluate the ability of the organization to determine relevant risks and opportunities
• Evaluate the organization’s ability to understand its own context
• Identify opportunities for continuous improvement in the quality management system

Outline the audit programme objectives in the form field below.

Risks and opportunities relating to the context of the auditee can be effectively identified with an audit programme.

Audit programme managers should identify the risks and opportunities present when considering the full scope of the audit programme.

Risks and opportunities might be associated with:

• Planning
• Resources
• Selection of the audit team
• Internal communication and information security
• Audit implementation
• Control of documented information
• Monitoring and reviewing the audit programme
• Auditee cooperation
• Availability of evidence

This task will depend on information provided by the auditee regarding its context.

For the purpose of this checklist, “extent” of the audit programme refers to simply the number of individual audits and additional audit activities that will need to be carried out.

Using the information provided to you by the auditee, establish the scope of the audit programme using the form field below.

Determine the resources to be allocated for the audit programme.

When determining resource allocation, consider the following:

Prepare a resource allocation plan using the form field belw

It’s important to maintain clear communication with the auditee throughout the audit.

As such, the audit programme manager should prepare all documented information so far, in preparation for sharing the complete audit programme planning with the auditee.

The documented information may not be complete at this point; further approvals will be needed once more information has been documented.

Use the form fields in this task to record and/or upload documented information relevant to the audit programme so far.

Using everything you’ve prepared so far, communicate the audit programme with the auditee.

That’s as simple as sending an email using the email widget below. All of the relevant information has already been attached using form fields you’ve already filled in.

Audit programme managers should ensure the following responsibilities are properly fulfilled:

Finally, the audit programme manager should make sure that the audit programme so far is approved by the auditee.

Now that the basis for the audit programme has been established, you need to make sure all individuals involved with the planning of the audit are adequately informed and prepared.

This basically involves making sure the following information is clearly communicated and easily available to all members of audit programme manageme

You’ve already established the criteria for the audit programme; you also need to establish objectives of the individual audit.

Individual audit objectives will be consistent with the overall audit programme objectives, including the following (as an example):

Audit scope, shall be consistent with the audit programme and audit objectives.

Consider the following factors, and define the audit scope in the form field below:

For individual audits, criteria should be defined to be used as a reference against which conformity will be determined.

Individual audit criteria might include:

Record individual audit criteria in the form field below:

Audit program managers should select the specific methods to be used during the process of the audit.

Methods will depend on the established audit objectives, scope, and criteria.

Record the audit methods in the drop-down field below.

Audit programme managers should assign audit team members.

When deciding on your audit team, consider the following:

Use the members fields below to assign audit team members.

Should you require fewer or more audit team members, edit this template to your requirements.

Audit programme managers should be responsible for assigning the audit team leader.

This should be done well ahead of the scheduled date of the audit, to be sure that planning can take place in a timely manner.

A dynamic due date has been set for this task, for one month before the scheduled start date of the audit.

Use the form fields below to record the details of the lead auditor.

Audit programme managers should make sure proper preparations are made and that tools are in place for proper management of audit programme results.

That includes procedures for:

Audit programme managers should make sure all audit information is properly documented.

This is to be sure that the implementation of the audit programme can be adequately demonstrated.

That means processes for record maintenance will need to be established.

Records for the audit programme might include the following:

Records for individual audits might include:

Audit programme managers should also make sure that tools and systems are in place to ensure adequate monitoring of the audit programme and all relevant activities.

Relevant activities to be monitored might include any of the following:

Both the auditee and the audit programme manager should be responsible for reviewing the audit programme (including details of the individual audit(s) so far, to assess whether its objectives have been achieved.

Review of the audit programe is a stop task, meaning you cannot continue with this checklist until the audit programe has been approved.

Audit programme

Basic information

Audit programme manager: {{form.Audit_programme_manager_first_name}} {{form.Audit_programme_manager_second_name}}

Management system type: {{form.Management_system}}
ISO standard: {{form.ISO_standard}}

Audit programme context

{{form.Audit_programme_context}}

Objectives of the audit programme

{{form.Audit_programme_objectives}}

Risks and opportunities of the audit programme

Audit programme risks: {{form.Audit_programme_risks}}

Suggested actions for programme risks: {{form.Suggested_actions_for_programme_risks}}

Audit programme opportunities: {{form.Audit_programme_opportunities}}

Suggested actions for programme opportunities: {{form.Suggested_actions_for_programme_opportunities}}

Extent of the audit programme

{{form.Extent_of_audit_programme}}

Audit programme resources

{{form.Audit_programme_resources}}

Documented information

Documented audit programme information so far: {{form.Audit_programme_documented_information_(incomplete)}}

Additional documented information: {{form.Audit_programme_documented_information_(incomplete_-_additional)}}

Individual audit

Individual audit objectives

{{form.Individual_audit_objectives}}

Individual audit scope

{{form.Individual_audit_scope}}

Individual audit criteria

{{form.Individual_audit_criteria}}

Individual audit methods

Method: {{form.Individual_audit_method}}

Method notes: {{form.Audit_method_notes}}

Individual audit team

Lead auditor: {{form.Lead_auditor_first_name}} {{form.Lead_auditor_second_name}}

Audit team member: {{form.Audit_team_member_#1_full_name}}

Audit team member: {{form.Audit_team_member_#2_full_name}}

Audit team member: {{form.Audit_team_member_#3_full_name}}

Using the information above, both audit programme manager and auditee should assess the following:

Ultimately, an audit programme review should be written, with consideration of the following:

The lead auditor should make contact with the auditee and ensure the following:

Any scheduling of audit activities should be made well in advance.

For example, the dates of the opening and closing meetings should be provisionally declared for planning purposes.

The point of this task is to make sure there can be a reasonable determination that the individual audit objectives can be successfully achieved.

Using information available so far, determine whether the following factors are true:

If the individual audit objectives cannot be feasibly achieved, a viable alternative should be proposed.

This will need to be confirmed by the audit client

The lead auditor should obtain and review all documentation of the auditee’s management system, and approve, reject or reject with comments as required. The approval step is a stop task, meaning you cannot continue with this process until the required documentation has been reviewed.

This will help to prepare for individual audit activities, and will serve as a high-level overview from which the lead auditor will be able to better identify and understand areas of concern or nonconformity.

Documented information is an umbrella term that could refer to:

• Processes (either recorded on paper or with software)
• Management system documents and records
• Previous audit reports

The above list is by no means exhaustive. The lead auditor should also take into account individual audit scope, objectives, and criteria.

Reference material, such as individual ISO standards, will be useful at this point.

Using the form-fields below, record any issues of nonconformities observed.

Using the form field below, describe the issue(s) with documented information so far, and the steps taken to resolve the issue(s). 

The lead auditor should prepare an audit plan for the individual audit.

This plan should involve the following components and considerations:

Additional factors to consider include:

Using the form field below, upload the plan for the individual audit.

The lead auditor should assign work to the audit team.

Work to be assigned should be outlined in the audit plan.

You can use Process Street’s task assignment feature to assign specific tasks in this checklist to individual members of your audit team.

The audit team should collect and review relevant information for their individual audit task assignments and prepare any documented information that will be required for conducting the audit.

Such information might include (but shouldn’t be limited to):

Documented information collected during the audit may include proprietary information, and as such should be treated with due care and suitable safeguarding by all audit team members, at all times.

It may be necessary for additional observers or guides of some sort to accompany the audit team. This will of course depend on the context of the individual audit.

Whatever the case, they should not influence or interfere with the main audit process.

The lead auditor reserves the right to deny access to any observers and/or guides from audit activities, if and when they deem appropriate.

Record details of audit guides/observers using the form fields of this task.

An opening meeting between the auditee and all relevant parties should be held.

It’s advised that the opening meeting should be led by the lead auditor.

The scheduling for this meeting should have already been determined earlier in the checklist.

During the opening meeting, confirm the following with all relevant parties:

Typically, such an opening meeting will involve the auditee’s management, as well as crucial actors or specialists in relation to processes and procedures to be audited.

This meeting is a great opportunity to ask any questions about the audit process and generally clear the air of uncertainties or reservations.

Depending on the size and scope of the audit (and as such the organization being audited) the opening meeting might be as simple as announcing that the audit is starting, with a simple explanation of the nature of the audit.

Familiarity of the auditee with the audit process is also an important factor in determining how extensive the opening meeting should be.

During the opening meeting, the following items should be clearly communicated:

It may be necessary to establish a formal communication protocol.

Such a protocol can be useful for communication within the audit team, as well as with the auditee, and other relevant interested parties.

For example, certain language barriers may hinder communication, or specific channels of communication may be required to facilitate seamless audit conduct.

As well, certain regulatory requirements may specify that a formal communication protocol be followed.

Using the form field below, establish the formal communication protocol.

Where, when, and how information is accessible is a crucial factor during the audit.

It’s important to make clear where all relevant interested parties can find important audit information.

Make sure important information is readily accessible by recording the location in the form fields of this task.

You may want to consider uploading important information to a secure central repository (URL) that can be easily shared to relevant interested parties.

Audits can store important information both physically and/or virtually.

Evidence should be collected that is relevant to the management system requirements, audit objectives, audit scope, and audit criteria.

Appropriate sampling methods should be used when collecting audit evidence.

Audit evidence should be verifiable, and auditors should apply professional, rational judgement to determine whether or not proposed audit evidence is in fact reliable.

Below is a useful diagram showing how a source of information can lead to an audit conclusion, by way of evidence collection and evaluation against audit criteria.

Methods of collecting information include, but are not limited to:

• Interviews with workers and other relevant interested parties
• Auditor observations
• Review of documented information

Record audit evidence using the form fields below.

You may wish to edit the form fields to suit your audit programme and/or audit compliance requirements for collecting and recording evidence.

Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

Audit findings can indicate conformity or nonconformity with audit criteria. When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee.

Nonconformities and their supporting audit evidence should be recorded.

Nonconformities can be graded depending on the context of the organization and its risks. This
grading can be quantitative (e.g. 1 to 5) and qualitative (e.g. minor, major).

They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood.

Every attempt should be made to resolve any diverging opinions concerning the audit evidence or findings. Unresolved issues should be recorded in the audit report.

The audit team should meet as needed to review the audit findings at appropriate stages during the audit.

NOTE 1 Additional guidance on the identification and evaluation of audit findings is given in A.18.

NOTE 2 Conformity or nonconformity with audit criteria related to statutory or regulatory requirements or other requirements, is sometimes referred to as compliance or non-compliance.

The form fields below are simple suggestions for how you might generate audit findings. You may wish to edit them to better suit your individual audit requirements.

Conformities

Nonconformities

Audit reports should be issued within 24 hours of the audit to ensure the auditee is given opportunity to take corrective action in a timely, thorough fashion

If the report is issued several weeks after the audit, it will typically be lumped onto the “to-do” pile, and much of the momentum of the audit, including discussions of findings and feedback from the auditor, will have faded.

The lead auditor should prepare the audit report.

This task has been assigned a dynamic due date set to 24 hours after the audit evidence has been evaluated against criteria.

The audit report is the final record of the audit; the high-level document that clearly outlines a complete, concise, clear record of everything of note that happened during the audit.

Use the sub-checklist below to check off important items included within the audit report:

Use the form field below to upload the completed audit report.

As stressed in the previous task, that the audit report is distributed in a timely manner is one of the most important aspects of the entire audit process.

Use the email widget below to quickly and easily distribute the audit report to all relevant interested parties.

By default, the widget will send the report to:

• The auditee main point of contact ({{form.Auditee_main_point_of_contact}})
• The audit programme manager ({{form.Audit_programme_manager_email}}
• The lead auditor ({{form.Lead_auditor_email}})

Should you want to distribute the report to additional interested parties, simply add their email addresses to the email widget below:

Depending on the outcome of the audit, there may be a need for follow-up action.

Follow-up action might include:

• Corrective action in response to nonconformities
• Opportunities for improvement
• Actions to address risks and opportunities

A time-frame should be agreed upon between the audit team and auditee within which to carry out follow-up action.

As part of the follow-up actions, the auditee will be responsible for keeping the audit team informed of any relevant activities undertaken within the agreed time-frame. The completion and effectiveness of these actions will need to be verified – this may be part of a subsequent audit.

In any case, recommendations for follow-up action should be prepared ahead of the closing meeting and shared accordingly with relevant interested parties.

Use the form fields below to record follow-up action suggestions.

Before the closing meeting, the audit team should make adequate preparations.

Make sure the following items are resolved ahead of the closing meeting:

Be sure to record the date of the closing meeting as well.

Just like the opening meeting, it’s a great idea to conduct a closing meeting to orient everyone with the proceedings and outcome of the audit, and provide a firm resolution to the whole process.

The main point of the closing meeting should be to present audit findings and conclusions.

Lead auditors should be responsible for presenting audit findings and conclusions.

You can use the sub-checklist below as a kind of attendance sheet to make sure all relevant interested parties are in attendance at the closing meeting:

Once attendance has been taken, the lead auditor should go over the complete audit report, with special attention placed on:

Depending on the situation and context of the audit, formality of the closing meeting can vary.

For more formal audits, minutes and records of attendance can be kept.

For more informal (e.g. internal) audits, it can be sufficient to simply communicate audit findings and audit conclusions.

In any case, during the course of the closing meeting, the following should be clearly communicated to the auditee:

The audit is to be considered formally complete when all planned activities and tasks have been completed, and any recommendations or future actions have been agreed upon with the audit client.

All information documented during the course of the audit should be retained or disposed of, depending on:

• The nature of the information (sensitive, proprietary, etc.)
• Requirements for particular management system standards
• Any other agreements between relevant interested parties

It should be assumed that any information collected during the audit should not be disclosed to external parties without written approval of the auditee/audit client.

However, it may sometimes be a legal requirement that certain information be disclosed. Should that be the case, the auditee/audit client must be informed as soon as possible.

• ISO – ISO 19011:2018
• ISO – Consolidated ISO Supplement
• ISO – Management System Standards
• ISO – ISO 9001:2015
• ISO – ISO 45001:2018
• ISO – ISO 26000:2010
• ISO – ISO 27001:2013
• Samuel O. Idowu, Catalina Sitnikov, Lars Moratis – ISO 26000 – A Standardized View on Corporate Social Responsibility
• Martin Hinsch – ISO 9001:2015 for Everyday Operations
• David Lilburn Watson, Andrew Jones – Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements

Disclaimer:

1. Process Street is not affiliated or in partnership with the International Organization for Standardization (ISO). The materials on Process Street’s website are provided on an as-is basis and are for educational purposes. Process Street makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.
2. Further, Process Street does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site.

• ISO 9001 Internal Audit Checklist for Quality Management Systems
• ISO 45001 Occupational Health and Safety (OHS) Audit Checklist
• ISO 27001 Information Security Management System (ISO 27K ISMS) Audit Checklist
• ISO 9001 and ISO 14001 Integrated Management System (IMS) Checklist
• ISO 9000 Structure Template
• ISO 9000 Marketing Procedures
• ISO 14001 Environmental Management Self Audit Checklist
• ISO 14001 EMS Structure Template
• ISO 14001 EMS Mini-Manual Procedures
• ISO 26000 Social Responsibility Performance Assessment Checklist
• FMEA Template: Failure Mode and Effects Analysis
• SWOT Analysis Template