Templates /
ISO 19011 Management Systems Audit Checklist

ISO 19011 Management Systems Audit Checklist

Run this checklist to prepare for and run an audit programme against any management system, using the guidelines set out in ISO 19011:2018 for auditing management systems.
1
Introduction:
2
Enter basic details
3
Managing the audit (programme preparation):
4
Establish competence of audit programme managers
5
Establish context of the audit programme
6
Establish objectives of the audit programme
7
Determine risks and opportunities of the audit programme
8
Establish extent of the audit programme
9
Establish audit programme resources
10
Prepare all documented information so far
11
Communicate the audit programme so far with auditee
12
Ensure relevant duties have been fulfilled so far
13
Managing the audit (individual audit preparation):
14
Ensure individuals planning the audit are prepared
15
Establish objectives of the individual audit
16
Define scope of the individual audit
17
Define criteria of the individual audit
18
Determine individual audit methods
19
Assign audit team members
20
Assign audit team leader
21
Ensure audit programme results are properly managed
22
Ensure audit programme records are properly maintained
23
Ensure audit programme monitoring is in place
24
Managing the audit (programme review):
25
Review the audit programme so far
26
Approval:
27
Audit process (initiating the audit):
28
Establish contact with the auditee
29
Determine feasibility of individual audit objectives
30
(Conditional) Propose alternative audit approach
31
Audit process (preparing to conduct the audit):
32
Review documented information
33
Approval:
34
(Conditional) Resolve documented information issue(s)
35
Prepare an audit plan
36
Assign work to audit team
37
Prepare documented information for audit
38
Audit process (conducting the audit):
39
(Conditional) Assign audit guides and/or observers
40
Conduct an opening meeting
41
(Conditional) Establish formal communication protocol
42
Ensure relevant audit information is accessible
43
Collect and record audit evidence
44
Evaluate audit evidence against audit criteria
45
Audit process (concluding the audit):
46
Prepare audit report
47
Distribute audit report
48
(Conditional) Prepare for audit follow-up
49
Prepare for closing meeting
50
Conduct closing meeting
51
Complete the audit
52
Sources:
53
Related checklists:

Introduction:

Since the first edition of ISO 19011 was published back in 2002, many new management system standards have been published. This makes the need for a standardized framework for performing management system audits greater than ever before.

ISO 19011 is that framework. The standard outlines a set of guidelines for performing audits on management systems, from management and planning, to the audit process, and carrying out evaluation of auditor competence.

This broader approach to management system audits is designed to streamline the process by recognizing the common structure that many ISO management systems share.

Management system audits can be conducted against a range of audit criteria, including (but not limited to):

  • Requirements set of in existing ISO standards
  • Policies and requirements defined by customers and stakeholders
  • Government policy and similar regulatory requirements
  • Documentation of internal management processes (defined by the organization being audited)
  • Documentation of internal management system plans and procedures (relating to specific process outputs)

This checklist is designed to simplify the process of planning for and carrying out an audit of a management system. The checklist can be used to adapt the audit programme for the specific requirements of the audit, regardless of the management system type, the scope, complexity, or scale of the audit.

Focus is placed on internal audits (first and second party), however, this checklist can also be useful to prepare for external audits (thought it cannot be used to attain ISO certification).

This checklist is designed as a supplement, and is not intended to replace ISO 19011.

For best results, users are encouraged to edit the checklist and modify the contents to best suit their use cases, as it cannot provide specific guidance on the particular risks and controls applicable to every situation.

Typically, management system auditors will prepare custom checklists that reflect the specific scope, scale, and objectives of the management system being audited.

Enter basic details

Audit programme manager details



Audit lead manager details

Certain tasks within this IS0 19011 Management Systems Audit Checklist will require review by the audit lead manager. Fill in the details below for the audit lead manager.



Auditee details



Audit details




Managing the audit (programme preparation):

Establish competence of audit programme managers

Audit programme managers should have complete knowledge of:

  • 1

    Audit processes, policies, and procedures
  • 2

    Relevant management system standards
  • 3

    All documented information about the auditee and its context
  • 4

    Any additional regulatory requirements

Establish context of the audit programme

In order to understand the context of the auditee, the audit programme should take into account the auditee’s:

  • 1

    Organizational objectives
  • 2

    Relevant external and internal issues
  • 3

    The needs and expectations of relevant interested parties
  • 4

    Information security and confidentiality requirements

The audit programme should include information about and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames.

The information should include:

  • 1

    Objectives for the audit programme
  • 2

    Risks and opportunities associated with the audit programme (see 5.3) and the actions to address them
  • 3

    Scope (extent, boundaries, locations) of each audit within the audit programme
  • 4

    Schedule (number/duration/frequency) of the audits
  • 5

    Audit types, such as internal or external
  • 6

    Audit criteria
  • 7

    Audit methods to be employed
  • 8

    Criteria for selecting audit team members
  • 9

    Relevant documented information

Some of this information may not be available until more detailed audit planning is complete.

Record the context of the audit programme in the form field below.


Establish objectives of the audit programme

The auditee must make sure that audit programme objectives are established to allow for planning and conducting of the audit to take place.

These objectives should be consistent with the auditee’s broader business goals and support their primary management system strategies and objectives.

Audit programme objectives might be based on:

  • 1

    Specific process and policy requirements
  • 2

    Expectations and requirements of customers
  • 3

    Specific management system requirements (e.g. ISO 9001)
  • 4

    External stakeholder evaluation
  • 5

    KPIs
  • 6

    Conformities and nonconformities in the organization
  • 7

    Risks and opportunities
  • 8

    Results of previous audits

Some examples of how the final objectives might look:

  • Gain evidence to assure confidence in an external provider/partner
  • Conform to all outstanding regulatory requirements
  • Evaluate the ability of the organization to determine relevant risks and opportunities
  • Evaluate the organization’s ability to understand its own context
  • Identify opportunities for continuous improvement in the quality management system

Outline the audit programme objectives in the form field below.


Determine risks and opportunities of the audit programme

Risks and opportunities relating to the context of the auditee can be effectively identified with an audit programme.

Audit programme managers should identify the risks and opportunities present when considering the full scope of the audit programme.

Risks and opportunities might be associated with:

  • Planning
  • Resources
  • Selection of the audit team
  • Internal communication and information security
  • Audit implementation
  • Control of documented information
  • Monitoring and reviewing the audit programme
  • Auditee cooperation
  • Availability of evidence




Establish extent of the audit programme

This task will depend on information provided by the auditee regarding its context.

For the purpose of this checklist, “extent” of the audit programme refers to simply the number of individual audits and additional audit activities that will need to be carried out.

Using the information provided to you by the auditee, establish the scope of the audit programme using the form field below.


Establish audit programme resources

Determine the resources to be allocated for the audit programme.

When determining resource allocation, consider the following:

  • 1

    Audit methods at your disposal
  • 2

    Time available
  • 3

    Finances available
  • 4

    Availability of competent auditors and other relevant technical experts
  • 5

    Risks and opportunities of the audit programme
  • 6

    Full accommodation of auditing needs, including travel costs, time, etc.
  • 7

    Time zones
  • 8

    Methods of communication between everyone involved
  • 9

    Tools, tech, and equipment required
  • 10

    Availability of required documented information
  • 11

    On-site requirements e.g. clearances, special equipment, expert guidance, etc.

Prepare a resource allocation plan using the form field belw


Prepare all documented information so far

It’s important to maintain clear communication with the auditee throughout the audit.

As such, the audit programme manager should prepare all documented information so far, in preparation for sharing the complete audit programme planning with the auditee.

The documented information may not be complete at this point; further approvals will be needed once more information has been documented.

Use the form fields in this task to record and/or upload documented information relevant to the audit programme so far.


Communicate the audit programme so far with auditee

Using everything you’ve prepared so far, communicate the audit programme with the auditee.

That’s as simple as sending an email using the email widget below. All of the relevant information has already been attached using form fields you’ve already filled in.

Ensure relevant duties have been fulfilled so far

Audit programme managers should ensure the following responsibilities are properly fulfilled:

  • 1

    Establish the extent of the audit programme (in-line with programme objectives)
  • 2

    Ensure audit teams are adequately selected
  • 3

    Clarify all relevant processes
  • 4

    Determine and provision resources
  • 5

    Prepare all documented information
  • 6

    Clearly communicate the audit programme objectives and documentation thus far to the auditee

Finally, the audit programme manager should make sure that the audit programme so far is approved by the auditee.

  • 1

    Audit approved by auditee

Managing the audit (individual audit preparation):

Ensure individuals planning the audit are prepared

Now that the basis for the audit programme has been established, you need to make sure all individuals involved with the planning of the audit are adequately informed and prepared.

This basically involves making sure the following information is clearly communicated and easily available to all members of audit programme manageme

  • 1

    Risks and opportunities
  • 2

    All documented information so far
  • 3

    Scope, objectives, and individual audit criteria
  • 4

    Selected audit methods
  • 5

    Scheduling of all audit-related activities
  • 6

    Audit team competence
  • 7

    Individual and overall resources
  • 8

    Documentation procedures for evidence collecting (and all audit activity)
  • 9

    Operational controls for audit programme monitoring

Establish objectives of the individual audit

You’ve already established the criteria for the audit programme; you also need to establish objectives of the individual audit.

Individual audit objectives will be consistent with the overall audit programme objectives, including the following (as an example):

  • 1

    Extent of the management system to be audited
  • 2

    The management system’s capacity to help the organization to meet relevant regulatory requirements
  • 3

    Effectiveness of the management system in producing its intended results
  • 4

    Opportunities for management system improvements
  • 5

    Suitability of the management system with respect to overall strategic context and business objectives of the auditee

Define scope of the individual audit

Audit scope, shall be consistent with the audit programme and audit objectives.

Consider the following factors, and define the audit scope in the form field below:

    • 1

      Audit location
    • 2

      Audit function
    • 3

      Audit activities
    • 4

      Processes to be audited
    • 5

      Audit time-frame

    Define criteria of the individual audit

    For individual audits, criteria should be defined to be used as a reference against which conformity will be determined.

    Individual audit criteria might include:

    • 1

      Relevant policies
    • 2

      Processes and standard operating proceudures
    • 3

      Performance objectives and KPIs
    • 4

      Statutory and other relevant regulatory requirements
    • 5

      Management system requirements (e.g. other ISO standards)
    • 6

      Risks and opportunities as determined by the auditee
    • 7

      Internal codes of conduct

    Record individual audit criteria in the form field below:


    Determine individual audit methods

    Audit program managers should select the specific methods to be used during the process of the audit.

    Methods will depend on the established audit objectives, scope, and criteria.

    Record the audit methods in the drop-down field below.



    Assign audit team members

    Audit programme managers should assign audit team members.

    When deciding on your audit team, consider the following:

    • 1

      Overall competence required by the audit team
    • 2

      Audit complexity
    • 3

      Combined or joint audit?
    • 4

      Audit methods
    • 5

      Ability of the audit team to work and interact effectively with the auditee
    • 6

      Relevant internal and external issues (e.g. auditee language barriers)
    • 7

      Type and complexity of processes to be audited (do they require specialized knowledge?)

    Use the members fields below to assign audit team members.




    Should you require fewer or more audit team members, edit this template to your requirements.

    Assign audit team leader

    Audit programme managers should be responsible for assigning the audit team leader.

    This should be done well ahead of the scheduled date of the audit, to be sure that planning can take place in a timely manner.

    A dynamic due date has been set for this task, for one month before the scheduled start date of the audit.

    Use the form fields below to record the details of the lead auditor.




    Ensure audit programme results are properly managed

    Audit programme managers should make sure proper preparations are made and that tools are in place for proper management of audit programme results.

    That includes procedures for:

    • 1

      Evaluating the achievement of objectives of individual audits within the audit programme
    • 2

      Review and approval of audit reports
    • 3

      Distribution of and access to audit reports
    • 4

      Review of actions taken in response to audit findings
    • 5

      Determining whether or not follow-up audits are necessary

    Ensure audit programme records are properly maintained

    Audit programme managers should make sure all audit information is properly documented.

    This is to be sure that the implementation of the audit programme can be adequately demonstrated.

    That means processes for record maintenance will need to be established.

    Records for the audit programme might include the following:

    • 1

      Scheduling of audit activities
    • 2

      Programme scope and objectives
    • 3

      Risks and opportunities
    • 4

      Internal and external issues
    • 5

      Effectiveness of the audit programme

    Records for individual audits might include:

    • 1

      Plans for the individual audit activities
    • 2

      Evidence and findings
    • 3

      Conformity and nonconformity reports
    • 4

      Corrective action reports
    • 5

      Follow-up reports
    • 6

      Other relevant reports

    Ensure audit programme monitoring is in place

    Audit programme managers should also make sure that tools and systems are in place to ensure adequate monitoring of the audit programme and all relevant activities.

    Relevant activities to be monitored might include any of the following:

    • 1

      Timeliness of the audit (whether deadlines and schedules are being met)
    • 2

      Performance of the audit team members (including lead auditor)
    • 3

      Successful implementation of audit plans
    • 4

      Feedback from auditee and other relevant parties
    • 5

      Documentation of audit activities

    Managing the audit (programme review):

    Review the audit programme so far

    Both the auditee and the audit programme manager should be responsible for reviewing the audit programme (including details of the individual audit(s) so far, to assess whether its objectives have been achieved.

    Review of the audit programe is a stop task, meaning you cannot continue with this checklist until the audit programe has been approved.


    Audit programme

    Basic information

    Audit programme manager: {{form.Audit_programme_manager_first_name}} {{form.Audit_programme_manager_second_name}}

    Management system type: {{form.Management_system}}
    ISO standard: {{form.ISO_standard}}

    Audit programme context

    {{form.Audit_programme_context}}

    Objectives of the audit programme

    {{form.Audit_programme_objectives}}

    Risks and opportunities of the audit programme

    Audit programme risks: {{form.Audit_programme_risks}}

    Suggested actions for programme risks: {{form.Suggested_actions_for_programme_risks}}

    Audit programme opportunities: {{form.Audit_programme_opportunities}}

    Suggested actions for programme opportunities: {{form.Suggested_actions_for_programme_opportunities}}

    Extent of the audit programme

    {{form.Extent_of_audit_programme}}

    Audit programme resources

    {{form.Audit_programme_resources}}

    Documented information

    Documented audit programme information so far: {{form.Audit_programme_documented_information_(incomplete)}}

    Additional documented information: {{form.Audit_programme_documented_information_(incomplete_-_additional)}}


    Individual audit

    Individual audit objectives

    {{form.Individual_audit_objectives}}

    Individual audit scope

    {{form.Individual_audit_scope}}

    Individual audit criteria

    {{form.Individual_audit_criteria}}

    Individual audit methods

    Method: {{form.Individual_audit_method}}

    Method notes: {{form.Audit_method_notes}}

    Individual audit team

    Lead auditor: {{form.Lead_auditor_first_name}} {{form.Lead_auditor_second_name}}

    Audit team member: {{form.Audit_team_member_#1_full_name}}

    Audit team member: {{form.Audit_team_member_#2_full_name}}

    Audit team member: {{form.Audit_team_member_#3_full_name}}


    Using the information above, both audit programme manager and auditee should assess the following:

    • 1

      How both audit programme and individual audit have been implemented
    • 2

      Opportunities for improvement
    • 3

      Changes that might be required
    • 4

      Competence of the audit team

    Ultimately, an audit programme review should be written, with consideration of the following:

    • 1

      Results of audit programme monitoring
    • 2

      How the programme conforms with documented processes and procedures
    • 3

      The needs and expectations of the auditee and other relevant interested parties
    • 4

      Alternative auditing methods
    • 5

      Alternative auditor evaluation methods
    • 6

      How risks and opportunities are being addressed
    • 7

      Information security issues

    Approval:

    Will be submitted for approval:

    • Review the audit programme so far

      Will be submitted

    Audit process (initiating the audit):

    Establish contact with the auditee

    The lead auditor should make contact with the auditee and ensure the following:

    • 1

      Basic introduction and clear outline of lead auditor roles and responsibilities
    • 2

      Clarify the methods of communication
    • 3

      Permission has been granted to proceed with the audit
    • 4

      The auditee understands the audit programme so far
    • 5

      Relevant information is accessible to all parties involved with the audit
    • 6

      Request access to additional relevant information
    • 7

      Determine if there are any additional regulatory requirements that will impact audit activities
    • 8

      Confirm information security policies
    • 9

      Confirm audit scheduling
    • 10

      Location-specific arrangements are made
    • 11

      Auditee understands requirements for additional observers/guides etc.
    • 12

      Risk areas of note are communicated
    • 13

      Outstanding issues are resolved

    Any scheduling of audit activities should be made well in advance.

    For example, the dates of the opening and closing meetings should be provisionally declared for planning purposes.

    Determine feasibility of individual audit objectives

    The point of this task is to make sure there can be a reasonable determination that the individual audit objectives can be successfully achieved.

    Using information available so far, determine whether the following factors are true:

    • 1

      The audit team has sufficient information to adequately plan for the individual audit
    • 2

      There is adequate cooperation with the auditee
    • 3

      There is adequate time to complete the audit objectives
    • 4

      There is adequate resources to complete the audit objectives

    (Conditional) Propose alternative audit approach

    If the individual audit objectives cannot be feasibly achieved, a viable alternative should be proposed.

    This will need to be confirmed by the audit client


    • 1

      Alternative approach confirmed by auditee

    Audit process (preparing to conduct the audit):

    Review documented information

    The lead auditor should obtain and review all documentation of the auditee’s management system, and approve, reject or reject with comments as required. The approval step is a stop task, meaning you cannot continue with this process until the required documentation has been reviewed.

    This will help to prepare for individual audit activities, and will serve as a high-level overview from which the lead auditor will be able to better identify and understand areas of concern or nonconformity.

    Documented information is an umbrella term that could refer to:

    • Processes (either recorded on paper or with software)
    • Management system documents and records
    • Previous audit reports

    The above list is by no means exhaustive. The lead auditor should also take into account individual audit scope, objectives, and criteria.

    Reference material, such as individual ISO standards, will be useful at this point.

    Using the form-fields below, record any issues of nonconformities observed.


    Approval:

    Will be submitted for approval:

    • Review documented information

      Will be submitted

    (Conditional) Resolve documented information issue(s)

    Using the form field below, describe the issue(s) with documented information so far, and the steps taken to resolve the issue(s). 



    Prepare an audit plan

    The lead auditor should prepare an audit plan for the individual audit.

    This plan should involve the following components and considerations:

    • 1

      Roles and responsibilities of each audit team member
    • 2

      Risk-based approach to audit planning
    • 3

      Scheduling and coordination of audit activities
    • 4

      Scope and complexity of the audit
    • 5

      Sampling techniques for collecting evidence
    • 6

      Opportunities for improvement
    • 7

      Risks of inadequate planning
    • 8

      Impact of the audit on auditee activities

    Additional factors to consider include:

    • 1

      Auditee language (and additional communication barriers)
    • 2

      Logistics of the audit
    • 3

      Actions taken in response to risk assessments
    • 4

      Consideration of information security protocol
    • 5

      Follow-up actions from previous audits
    • 6

      Anticipated follow-up actions associated with this audit
    • 7

      Requirements of a joint audit

    Using the form field below, upload the plan for the individual audit.



    Assign work to audit team

    The lead auditor should assign work to the audit team.

    Work to be assigned should be outlined in the audit plan.

    You can use Process Street’s task assignment feature to assign specific tasks in this checklist to individual members of your audit team.

    Prepare documented information for audit

    The audit team should collect and review relevant information for their individual audit task assignments and prepare any documented information that will be required for conducting the audit.

    Such information might include (but shouldn’t be limited to):

    • 1

      Paper documents outlining policies and procedures
    • 2

      Digital records of policies and procedures
    • 3

      Digital checklists
    • 4

      Details and instructions for audit sampling methods
    • 5

      Supplementary audio-visual information

    Documented information collected during the audit may include proprietary information, and as such should be treated with due care and suitable safeguarding by all audit team members, at all times.

    Audit process (conducting the audit):

    (Conditional) Assign audit guides and/or observers

    It may be necessary for additional observers or guides of some sort to accompany the audit team. This will of course depend on the context of the individual audit.

    Whatever the case, they should not influence or interfere with the main audit process.

    The lead auditor reserves the right to deny access to any observers and/or guides from audit activities, if and when they deem appropriate.

    Record details of audit guides/observers using the form fields of this task.








    Conduct an opening meeting

    An opening meeting between the auditee and all relevant parties should be held.

    It’s advised that the opening meeting should be led by the lead auditor.

    The scheduling for this meeting should have already been determined earlier in the checklist.

    During the opening meeting, confirm the following with all relevant parties:

    • 1

      Audit programme plans
    • 2

      Individual audit scope
    • 3

      Individual audit objectives
    • 4

      Individual audit criteria
    • 5

      Individual audit plans
    • 6

      Roles and responsibilities of the audit team
    • 7

      That all planned activities can be performed, and proper authorization is acquired
    • 8

      Language of the audit
    • 9

      Information security protocol
    • 10

      Relevant access and arrangements for the audit team
    • 11

      Notable on-site activities that could impact audit process

    Typically, such an opening meeting will involve the auditee’s management, as well as crucial actors or specialists in relation to processes and procedures to be audited.

    This meeting is a great opportunity to ask any questions about the audit process and generally clear the air of uncertainties or reservations.

    Depending on the size and scope of the audit (and as such the organization being audited) the opening meeting might be as simple as announcing that the audit is starting, with a simple explanation of the nature of the audit.

    Familiarity of the auditee with the audit process is also an important factor in determining how extensive the opening meeting should be.

    During the opening meeting, the following items should be clearly communicated:

    • 1

      Methods for reporting and communicating audit progress
    • 2

      Conditions of audit termination
    • 3

      Procedures for dealing with audit findings during the audit
    • 4

      Procedures for receiving feedback from the auditee in response to findings during the audit

    (Conditional) Establish formal communication protocol

    It may be necessary to establish a formal communication protocol.

    Such a protocol can be useful for communication within the audit team, as well as with the auditee, and other relevant interested parties.

    For example, certain language barriers may hinder communication, or specific channels of communication may be required to facilitate seamless audit conduct.

    As well, certain regulatory requirements may specify that a formal communication protocol be followed.

    Using the form field below, establish the formal communication protocol.


    Ensure relevant audit information is accessible

    Where, when, and how information is accessible is a crucial factor during the audit.

    It’s important to make clear where all relevant interested parties can find important audit information.

    Make sure important information is readily accessible by recording the location in the form fields of this task.

    You may want to consider uploading important information to a secure central repository (URL) that can be easily shared to relevant interested parties.

    Audits can store important information both physically and/or virtually.


    Collect and record audit evidence

    Evidence should be collected that is relevant to the management system requirements, audit objectives, audit scope, and audit criteria.

    Appropriate sampling methods should be used when collecting audit evidence.

    Audit evidence should be verifiable, and auditors should apply professional, rational judgement to determine whether or not proposed audit evidence is in fact reliable.

    Below is a useful diagram showing how a source of information can lead to an audit conclusion, by way of evidence collection and evaluation against audit criteria.

    Source: https://www.sciencedirect.com/topics/computer-science/audit-standard

    Methods of collecting information include, but are not limited to:

    • Interviews with workers and other relevant interested parties
    • Auditor observations
    • Review of documented information

    Record audit evidence using the form fields below.

    You may wish to edit the form fields to suit your audit programme and/or audit compliance requirements for collecting and recording evidence.


    Evaluate audit evidence against audit criteria

    Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

    Audit findings can indicate conformity or nonconformity with audit criteria. When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee.

    Nonconformities and their supporting audit evidence should be recorded.

    Nonconformities can be graded depending on the context of the organization and its risks. This
    grading can be quantitative (e.g. 1 to 5) and qualitative (e.g. minor, major).

    They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood.

    Every attempt should be made to resolve any diverging opinions concerning the audit evidence or findings. Unresolved issues should be recorded in the audit report.

    The audit team should meet as needed to review the audit findings at appropriate stages during the audit.

    NOTE 1 Additional guidance on the identification and evaluation of audit findings is given in A.18.

    NOTE 2 Conformity or nonconformity with audit criteria related to statutory or regulatory requirements or other requirements, is sometimes referred to as compliance or non-compliance.

    The form fields below are simple suggestions for how you might generate audit findings. You may wish to edit them to better suit your individual audit requirements.


    Conformities










    Nonconformities




    • 1

      Nonconformity #1 is communicated to and understood by the auditee




    • 1

      Nonconformity #2 is communicated to and understood by the auditee




    • 1

      Nonconformity #3 is communicated to and understood by the auditee



    Audit process (concluding the audit):

    Prepare audit report

    Audit reports should be issued within 24 hours of the audit to ensure the auditee is given opportunity to take corrective action in a timely, thorough fashion

    If the report is issued several weeks after the audit, it will typically be lumped onto the “to-do” pile, and much of the momentum of the audit, including discussions of findings and feedback from the auditor, will have faded.

    The lead auditor should prepare the audit report.

    This task has been assigned a dynamic due date set to 24 hours after the audit evidence has been evaluated against criteria.

    The audit report is the final record of the audit; the high-level document that clearly outlines a complete, concise, clear record of everything of note that happened during the audit.

    Use the sub-checklist below to check off important items included within the audit report:

    • 1

      Audit programme objectives
    • 2

      Individual audit objectives
    • 3

      Individual audit scope
    • 4

      Individual audit criteria
    • 5

      An overview of the auditee & their context
    • 6

      Roles and responsibilities of the audit team
    • 7

      Key dates and locations of the audit
    • 8

      Complete audit findings and corresponding evidence
    • 9

      Audit conclusions
    • 10

      Assessment of audit criteria
    • 11

      Unresolved conflicts of opinion between audit team and auditee

    Use the form field below to upload the completed audit report.


    Distribute audit report

    As stressed in the previous task, that the audit report is distributed in a timely manner is one of the most important aspects of the entire audit process.

    Use the email widget below to quickly and easily distribute the audit report to all relevant interested parties.

    By default, the widget will send the report to:

    • The auditee main point of contact ({{form.Auditee_main_point_of_contact}})
    • The audit programme manager ({{form.Audit_programme_manager_email}}
    • The lead auditor ({{form.Lead_auditor_email}})

    Should you want to distribute the report to additional interested parties, simply add their email addresses to the email widget below:

    (Conditional) Prepare for audit follow-up

    Depending on the outcome of the audit, there may be a need for follow-up action.

    Follow-up action might include:

    • Corrective action in response to nonconformities
    • Opportunities for improvement
    • Actions to address risks and opportunities

    A time-frame should be agreed upon between the audit team and auditee within which to carry out follow-up action.

    As part of the follow-up actions, the auditee will be responsible for keeping the audit team informed of any relevant activities undertaken within the agreed time-frame. The completion and effectiveness of these actions will need to be verified – this may be part of a subsequent audit.

    In any case, recommendations for follow-up action should be prepared ahead of the closing meeting and shared accordingly with relevant interested parties.

    Use the form fields below to record follow-up action suggestions.


    Prepare for closing meeting

    Before the closing meeting, the audit team should make adequate preparations.

    Make sure the following items are resolved ahead of the closing meeting:

    • 1

      All audit findings are reviewed against audit objectives
    • 2

      Audit conclusions are agreed upon
    • 3

      Recommendations are prepared, if necessary
    • 4

      Follow-up action has been discussed and agreed upon

    Be sure to record the date of the closing meeting as well.

    Conduct closing meeting

    Just like the opening meeting, it’s a great idea to conduct a closing meeting to orient everyone with the proceedings and outcome of the audit, and provide a firm resolution to the whole process.

    The main point of the closing meeting should be to present audit findings and conclusions.

    Lead auditors should be responsible for presenting audit findings and conclusions.

    You can use the sub-checklist below as a kind of attendance sheet to make sure all relevant interested parties are in attendance at the closing meeting:

    • 1

      Auditee management
    • 2

      Audit programme manager
    • 3

      Individuals responsible for the processes and procedures being audited
    • 4

      The audit client
    • 5

      All members of the audit team
    • 6

      Other relevant interested parties, as determined by the auditee/audit programme

    Once attendance has been taken, the lead auditor should go over the complete audit report, with special attention placed on:

    • 1

      If applicable, first addressing any special occurrences or situations that might have impacted the reliability of audit conclusions
    • 2

      Making sure all present are familiar with or have access to the complete audit report
    • 3

      Making sure the auditee is familiar with the audit process
    • 4

      Confirming the time-frame for audit follow-up actions
    • 5

      Diverging opinions / disagreements in relation to audit findings between any relevant interested parties
    • 6

      Opportunities for improvement

    Depending on the situation and context of the audit, formality of the closing meeting can vary.

    For more formal audits, minutes and records of attendance can be kept.

    For more informal (e.g. internal) audits, it can be sufficient to simply communicate audit findings and audit conclusions.

    In any case, during the course of the closing meeting, the following should be clearly communicated to the auditee:

    • 1

      That audit evidence is based on sample information, and therefore cannot be fully representative of the overall effectiveness of the processes being audited
    • 2

      The specific methods of audit reporting used
    • 3

      Complete audit findings and conclusions
    • 4

      Advice for how to proceed in light of audit findings
    • 5

      Consequences if audit findings are not addressed
    • 6

      Recommendations for post-audit follow-up activities
    • 7

      The fact that recommendations are not binding

    Complete the audit

    The audit is to be considered formally complete when all planned activities and tasks have been completed, and any recommendations or future actions have been agreed upon with the audit client.

    All information documented during the course of the audit should be retained or disposed of, depending on:

    • The nature of the information (sensitive, proprietary, etc.)
    • Requirements for particular management system standards
    • Any other agreements between relevant interested parties

    It should be assumed that any information collected during the audit should not be disclosed to external parties without written approval of the auditee/audit client.

    However, it may sometimes be a legal requirement that certain information be disclosed. Should that be the case, the auditee/audit client must be informed as soon as possible.

    Sources:

    Disclaimer:

    1. Process Street is not affiliated or in partnership with the International Organization for Standardization (ISO). The materials on Process Street’s website are provided on an as-is basis and are for educational purposes. Process Street makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.
    2. Further, Process Street does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site.

    Take control of your workflows today.