Introduction:

One of the core functions of an information security management system (ISMS) is an internal audit of the ISMS against the requirements of the ISO/IEC 27001:2013 standard.

Especially for smaller organizations, this can also be one of the hardest functions to successfully implement in a way that meets the requirements of the standard.

This checklist is designed to streamline the ISO 27001 audit process, so you can perform first and second-party audits, whether for an ISMS implementation or for contractual or regulatory reasons.

The checklist is intended as a generic guidance; it is not a replacement for ISO 27001.

For best results, users are encouraged to edit the checklist and modify the contents to best suit their use cases, as it cannot provide specific guidance on the particular risks and controls applicable to every situation.

Typically, management system auditors will prepare custom checklists that reflect the specific scope, scale, and objectives of the ISMS being audited.

Enter basic details

Audit documentation should include the details of the auditor, as well as the start date, and basic information about the nature of the audit. 

More detailed information will be gathered later in the checklist.

Before beginning preparations for the audit, enter some basic details about the information security management system (ISMS) audit using the form fields below.

Audit programme manager information

Auditee information

If this process involves multiple people, you can use the members form field to allow the person running this checklist to select and assign additional individuals.

For example, if management is running this checklist, they may wish to assign the lead internal auditor after completing the ISMS audit details.

Preparing for the audit:

Establish context of the ISMS audit

In order to understand the context of the audit, the audit programme manager should take into account the auditee’s:

  • 1
    Business goals and objectives
  • 2
    Relevant external and internal issues
  • 3
    The needs and expectations of relevant interested parties
  • 4
    Information security and confidentiality requirements of the ISMS

Record the context of the audit in the form field below.

Establish objectives of the ISMS audit

The audit programme manager needs to establish objectives of the QMS audit.

Individual audit objectives need to be consistent with the context of the auditee, including the following factors:

  • 1
    Extent of the QMS to be audited
  • 2
    Capacity of the QMS to help the organization to meet relevant regulatory requirements
  • 3
    Effectiveness of the QMS in producing its intended results
  • 4
    Opportunities for QMS improvements
  • 5
    Suitability of the QMS with respect to overall strategic context and business objectives of the auditee

Determine ISMS audit scope

Audit scope should be consistent with the context of the auditee.

Consider the following factors, and define the audit scope in the form field below:

  • 1
    Audit location
  • 2
    Audit function
  • 3
    Audit activities
  • 4
    Processes to be audited
  • 5
    Audit time-frame

Establish criteria of the ISMS audit

For individual audits, criteria should be defined to be used as a reference against which conformity will be determined.

Individual audit criteria might include:

  • 1
    Relevant policies
  • 2
    Processes and standard operating proceudures
  • 3
    Performance objectives and KPIs
  • 4
    Statutory and other relevant regulatory requirements
  • 5
    Management system requirements (e.g. other ISO standards)
  • 6
    Risks and opportunities as determined by the auditee
  • 7
    Internal codes of conduct

Ensure ISMS audit monitoring systems are in place

Audit programme managers should also make sure that tools and systems are in place to ensure adequate monitoring of the audit and all relevant activities.

Relevant activities to be monitored might include any of the following:

  • 1
    Timeliness of the audit (whether deadlines and schedules are being met)
  • 2
    Performance of the audit team members (including lead auditor)
  • 3
    Successful implementation of audit plans
  • 4
    Feedback from auditee and other relevant parties
  • 5
    Documentation of audit activities

Request documented information from auditee

Request all existing relevant ISMS documentation from the auditee. You can use the form field below to quickly and easily request this information

Assign audit roles and responsibilities:

Assign audit team

Audit programme managers should assign audit team members.

When deciding on your audit team, consider the following:

  • 1
    Overall competence required by the audit team
  • 2
    Audit complexity
  • 3
    Combined or joint audit?
  • 4
    Audit methods
  • 5
    Ability of the audit team to work and interact effectively with the auditee
  • 6
    Relevant internal and external issues (e.g. auditee language barriers)
  • 7
    Type and complexity of processes to be audited (do they require specialized knowledge?)

Use the various fields below to assign audit team members.

Should you require fewer or more audit team members, edit this template to your requirements.

Assign audit team lead

Audit programme managers should be responsible for assigning the audit team leader.

This should be done well ahead of the scheduled date of the audit, to be sure that planning can take place in a timely manner.

dynamic due date has been set for this task, for one month before the scheduled start date of the audit.

Use the form fields below to record the details of the lead auditor.

Reviewing documented information:

Review auditee's documented information

The lead auditor should obtain and review all documentation of the auditee's management system. They audit leader can then approve, reject or reject with comments the documentation. Continuation of this checklist is not possible until all documentation has been reviewed by the lead auditor.

This will help to prepare for individual audit activities, and will serve as a high-level overview from which the lead auditor will be able to better identify and understand areas of concern or nonconformity.

Documented information is an umbrella term that could refer to:

  • Processes (either recorded on paper or with software)
  • Management system documents and records
  • Previous audit reports

The above list is by no means exhaustive. The lead auditor should also take into account individual audit scope, objectives, and criteria.

Reference material, such as individual ISO standards, will be useful at this point.

Using the form fields below, record any issues of nonconformities observed.

Approval:

Will be submitted for approval:
  • Review auditee's documented information
    Will be submitted

(Conditional) Resolve documented information issue(s)

Using the form field below, describe the issue(s) with documented information so far, and the steps taken to resolve the issue(s). 

Prepare an audit plan

The lead auditor should prepare an audit plan for the individual audit.

This plan should involve the following components and considerations:

  • 1
    Roles and responsibilities of each audit team member
  • 2
    Risk-based approach to audit planning
  • 3
    Scheduling and coordination of audit activities
  • 4
    Scope and complexity of the audit
  • 5
    Sampling techniques for collecting evidence
  • 6
    Opportunities for improvement
  • 7
    Risks of inadequate planning
  • 8
    Impact of the audit on auditee activities

Assign work to the audit team

The lead auditor should assign work to the audit team.

Work to be assigned should be outlined in the audit plan.

You can use Process Street's task assignment feature to assign specific tasks in this checklist to individual members of your audit team.

Initiating the audit:

Make arrangements with the auditee

The lead auditor should make contact with the auditee and ensure the following:

  • 1
    Basic introduction and clear outline of lead auditor roles and responsibilities
  • 2
    Clarify the methods of communication
  • 3
    Permission has been granted to proceed with the audit
  • 4
    The auditee understands the audit programme so far
  • 5
    Relevant information is accessible to all parties involved with the audit
  • 6
    Request access to additional relevant information
  • 7
    Determine if there are any additional regulatory requirements that will impact audit activities
  • 8
    Confirm information security policies
  • 9
    Confirm audit scheduling
  • 10
    Location-specific arrangements are made
  • 11
    Auditee understands requirements for additional observers/guides etc.
  • 12
    Risk areas of note are communicated
  • 13
    Outstanding issues are resolved

Any scheduling of audit activities should be made well in advance.

For example, the dates of the opening and closing meetings should be provisionally declared for planning purposes.

Conduct open meeting

An opening meeting between the auditee and all relevant parties should be held.

It's advised that the opening meeting should be led by the lead auditor.

The scheduling for this meeting should have already been determined earlier in the checklist.

During the opening meeting, confirm the following with all relevant parties:

  • 1
    Audit programme plans
  • 2
    Individual audit scope
  • 3
    Individual audit objectives
  • 4
    Individual audit criteria
  • 5
    Individual audit plans
  • 6
    Roles and responsibilities of the audit team
  • 7
    That all planned activities can be performed, and proper authorization is acquired
  • 8
    Language of the audit
  • 9
    Information security protocol
  • 10
    Relevant access and arrangements for the audit team
  • 11
    Notable on-site activities that could impact audit process

Typically, such an opening meeting will involve the auditee's management, as well as crucial actors or specialists in relation to processes and procedures to be audited.

This meeting is a great opportunity to ask any questions about the audit process and generally clear the air of uncertainties or reservations.

Depending on the size and scope of the audit (and as such the organization being audited) the opening meeting might be as simple as announcing that the audit is starting, with a simple explanation of the nature of the audit.

Familiarity of the auditee with the audit process is also an important factor in determining how extensive the opening meeting should be.

During the opening meeting, the following items should be clearly communicated:

  • 1
    Methods for reporting and communicating audit progress
  • 2
    Conditions of audit termination
  • 3
    Procedures for dealing with audit findings during the audit
  • 4
    Procedures for receiving feedback from the auditee in response to findings during the audit

Ensure relevant audit information is accessible

Where, when, and how information is accessible is a crucial factor during the audit.

It's important to make clear where all relevant interested parties can find important audit information.

Make sure important information is readily accessible by recording the location in the form fields of this task.

You may want to consider uploading important information to a secure central repository (URL) that can be easily shared to relevant interested parties.

Audits can store important information both physically and/or virtually.

Collecting evidence (context of the organization):

Assess understanding of the organization and its context

Understanding the context of the organization is necessary when developing an information security management system in order to identify, analyze, and understand the business environment in which the organization conducts its business and realizes its product.

Record information pertaining to the organization and its context in the form fields below.

Assess the needs and expectations of relevant interested parties

Provide a record of evidence gathered relating to the needs and expectations of interested parties in the form fields below.

Assess ISMS scope

The scope of the ISMS is basically a description of the processes, procedures, services, and products that the ISMS applies to.

Provide a record of evidence gathered relating to the ISMS scope in the form fields below.

Collecting evidence (leadership):

Assess leadership of the ISMS

Provide a record of evidence gathered relating to the ISMS leadership in the form fields below.

Assess ISMS policy

Provide a record of evidence gathered relating to the ISMS quality policy in the form fields below.

Assess ISMS roles, responsibilities, and authorities

Provide a record of evidence gathered relating to the organizational roles, responsibilities, and authorities of the ISMS in the form fields below.

Assess consultation and participation of workers

Provide a record of evidence gathered relating to the consultation and participation of the workers of the ISMS using the form fields below.

Collecting evidence (planning):

Assess actions to address risks and opportunities

Provide a record of evidence gathered relating to the documentation of risks and opportunities in the ISMS using the form fields below.

Assess ISMS objectives and plans to achieve them

Provide a record of evidence gathered relating to the ISMS objectives and plans to achieve them in the form fields below.

Collecting evidence (support):

Assess ISMS resources

Provide a record of evidence gathered relating to the documentation and implementation of ISMS resources using the form fields below.

Assess ISMS competence

Provide a record of evidence gathered relating to the documentation and implementation of ISMS competence using the form fields below.

Assess ISMS awareness

Provide a record of evidence gathered relating to the documentation and implementation of ISMS awareness using the form fields below.

Assess ISMS communication

Provide a record of evidence gathered relating to the documentation and implementation of ISMS communication using the form fields below.

Assess ISMS documented information

Provide a record of evidence gathered relating to the documentation information of the ISMS using the form fields below.

Collecting evidence (operation):

Assess ISMS operational planning and control

Provide a record of evidence gathered relating to the operational planning and control of the ISMS using the form fields below.

Assess ISMS information security risk assessment procedures

Provide a record of evidence gathered relating to the information security risk assessment procedures of the ISMS using the form fields below.

Assess information security risk treatment procedures

Provide a record of evidence gathered relating to the information security risk treatment procedures of the ISMS using the form fields below.

Collecting evidence (performance evaluation):

Assess systems for monitoring and measuring ISMS performance

Provide a record of evidence gathered relating to the systems for monitoring and measuring performance of the ISMS using the form fields below.

Assess ISMS internal audit procedures

Provide a record of evidence gathered relating to the internal audit procedures of the ISMS using the form fields below.

Assess ISMS management review procedures

Provide a record of evidence gathered relating to the management review procedures of the ISMS using the form fields below.

Collecting evidence (improvement):

Assess ISMS nonconformity and corrective action

Provide a record of evidence gathered relating to nonconformity and corrective action in the ISMS using the form fields below.

Assess continuous improvement procedures

Provide a record of evidence gathered relating to continuous improvement procedures of the ISMS using the form fields below.

Audit findings:

Review audit evidence and findings

The audit leader can review and approve, reject or reject with comments, the below audit evidence, and findings. It is not possible to continue in this checklist until the below has been reviewed.


Context of the organization


Understanding the organization and its context

Internal issues: {{form.Internal_issues_information}}

External issues: {{form.External_issues_information}}

Relevant interested parties: {{form.Relevant_interested_parties_information}}

Any nonconformities?: {{form.Nonconformity_with_organization_and_its_context?}}

Conformities: {{form.Record_conformities_for_organization_and_its_context}}

Nonconformities: {{form.Record_nonconformities_for_organization_and_its_context}}

Suggestions: {{form.Suggestions_for_organization_and_its_context}}

Needs and expectations of relevant interested parties

Information: {{form.Needs_and_expectations_of_interested_parties_information}}

Any nonconformities?: {{form.Nonconformity_with_needs_and_expectations_of_interested_parties?}}

Conformities: {{form.Record_conformities_for_needs_and_expectations_of_interested_parties}}

Nonconformities: {{form.Record_nonconformities_for_needs_and_expectations_of_interested_parties}}

Suggestions: {{form.Suggestions_for_needs_and_expectations_of_interested_parties}}

ISMS scope

Information: {{form.ISMS_scope_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_scope?}}

Conformities: {{form.Record_conformities_for_ISMS_scope}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_scope}}

Suggestions: {{form.Suggestions_for_ISMS_scope}}


Leadership


ISMS leadership

Information: {{form.ISMS_leadership_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_leadership?}}

Conformities: {{form.Record_conformities_for_ISMS_leadership}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_leadership}}

Suggestions: {{form.Suggestions_for_ISMS_leadership}}

ISMS policy

Information: {{form.ISMS_policy_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_policy?}}

Conformities: {{form.Record_conformities_for_ISMS_policy}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_policy}}

Suggestions: {{form.Suggestions_for_ISMS_policy}}

ISMS roles, responsibilities, and authorities

Information: {{form.ISMS_roles_and_responsibilities_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_roles_and_responsibilities?}}

Conformities: {{form.Record_conformities_for_ISMS_roles_and_responsibilities}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_roles_and_responsibilities}}

Suggestions: {{form.Suggestions_for_ISMS_roles_and_responsibilities}}

ISMS consultation and participation of workers

Information: {{form.Consultation_and_participation_of_workers_information}}

Any nonconformities?: {{form.Nonconformity_with_consultation_and_participation_of_workers?}}

Conformities: {{form.Record_conformities_for_consultation_and_participation_of_workers}}

Nonconformities: {{form.Record_nonconformities_for_consultation_and_participation_of_workers}}

Suggestions: {{form.Suggestions_for_consultation_and_participation_of_workers}}


Planning


Actions to assess ISMS risks and opportunities

ISMS risks information: {{form.ISMS_risks_information}}

Procedures for ISMS risk mitigation information: {{form.Procedures_for_engaging_ISMS_opportunities_information}}

ISMS opportunities information: {{form.ISMS_opportunities_information}}

Procedures for engaging ISMS opportunities information: {{form.Procedures_for_engaging_ISMS_opportunities_information}}

Any nonconformities?: {{form.Nonconformity_with_documentation_of_ISMS_risks_and_opportunities?}}

Conformities: {{form.Record_conformities_for_ISMS_risks_and_opportunities}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_risks_and_opportunities}}

Suggestions: {{form.Suggestions_for_ISMS_risks_and_opportunities}}

ISMS objectives and plans to achieve them

ISMS objectives information: {{form.ISMS_objectives_information}}

Plans to achieve ISMS objectives information: {{form.Plans_to_achieve_ISMS_objectives_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_objectives_and_plans_to_achieve_them?}}

Conformities: {{form.Record_conformities_with_ISMS_objectives_and_plans_to_achieve_them}}

Nonconformities: {{form.Record_nonconformities_with_ISMS_objectives_and_plans_to_achieve_them}}

Suggestions: {{form.Suggestions_for_ISMS_objectives_and_plans_to_achieve_them}}


Support


ISMS resources

Information: {{form.ISMS_resources_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_resources?}}

Conformities: {{form.Record_conformities_for_ISMS_resources}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_resources}}

Suggestions: {{form.Suggestions_for_ISMS_resources}}

ISMS competence

Information: {{form.ISMS_competence_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_competence?}}

Conformities: {{form.Record_conformities_for_ISMS_competence}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_competence}}

Suggestions: {{form.Suggestions_for_ISMS_competence}}

ISMS awareness

Information: {{form.ISMS_awareness_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_awareness?}}

Conformities: {{form.Record_conformities_for_ISMS_awareness}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_awareness}}

Suggestions: {{form.Suggestions_for_ISMS_awareness}}

ISMS communication

Information: {{form.ISMS_communication_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_communication?}}

Conformities: {{form.Record_conformities_for_ISMS_communication}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_communication}}

Suggestions: {{form.Suggestions_for_ISMS_communication}}

ISMS documented information

Information: {{form.ISMS_documented_information_notes}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_documented_information?}}

Conformities: {{form.Record_conformities_for_ISMS_documented_information}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_documented_information}}

Suggestions: {{form.Suggestions_for_ISMS_documented_information}}


Operation


ISMS operational planning and control

Information: {{form.ISMS_operational_planning_and_control_information}}

Any nonconformities?: {{form.Nonconformities_with_ISMS_operational_planning_and_control?}}

Conformities: {{form.Record_conformities_for_ISMS_operational_planning_and_control}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_operational_planning_and_control}}

Suggestions: {{form.Suggestions_for_ISMS_operational_planning_and_control}}

ISMS information security risk assessment procedures

Information: {{form.ISMS_information_security_risk_assessment_procedures_information}}

Any nonconformities?: {{form.Nonconformities_with_ISMS_information_security_risk_assessment_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_information_security_risk_assessment_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_information_security_risk_assessment_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_information_security_risk_assessment_procedures}}

ISMS information security risk treatment procedures

Information: {{form.ISMS_information_security_risk_treatment_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_information_security_risk_treatment_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_information_security_risk_treatment_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_information_security_risk_treatment_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_information_security_risk_treatment_procedures}}


Performance evaluation


Systems for assessing and monitoring ISMS performance

Information: {{form.Systems_for_monitoring_and_measuring_ISMS_performance_information}}

Any nonconformities?: {{form.Nonconformities_with_systems_for_monitoring_and_measuring_ISMS_performance?}}

Conformities: {{form.Record_conformities_for_systems_for_monitoring_and_measuring_ISMS_performance}}

Nonconformities: {{form.Record_nonconformities_for_systems_for_monitoring_and_measuring_ISMS_performance}}

Suggestions: {{form.Suggestions_for_systems_for_monitoring_and_measuring_ISMS_performance}}

ISMS internal audit procedures

Information: {{form.ISMS_internal_audit_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_internal_audit_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_internal_audit_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_internal_audit_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_internal_audit_procedures}}

ISMS management review procedures

Information: {{form.ISMS_management_review_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_management_review_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_management_review_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_management_review_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_management_review_procedures}}


Improvement


ISMS nonconformity and corrective action

Information: {{form.ISMS_nonconformity_and_corrective_action_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_nonconformity_and_corrective_action?}}

Conformities: {{form.Record_conformities_for_ISMS_nonconformity_and_corrective_action}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_nonconformity_and_corrective_action}}

Suggestions: {{form.Suggestions_for_ISMS_nonconformity_and_corrective_action}}

ISMS continuous improvement procedures

Information: {{form.ISMS_continuous_improvement_procedures_information}}

Any nonconformities?: {{form.Nonconformity_with_ISMS_continuous_improvement_procedures?}}

Conformities: {{form.Record_conformities_for_ISMS_continuous_improvement_procedures}}

Nonconformities: {{form.Record_nonconformities_for_ISMS_continuous_improvement_procedures}}

Suggestions: {{form.Suggestions_for_ISMS_continuous_improvement_procedures}}

Approval:

Will be submitted for approval:
  • Review audit evidence and findings
    Will be submitted

Closing the audit:

Prepare ISMS audit report

Audit reports should be issued within 24 hours of the audit to ensure the auditee is given opportunity to take corrective action in a timely, thorough fashion

If the report is issued several weeks after the audit, it will typically be lumped onto the "to-do" pile, and much of the momentum of the audit, including discussions of findings and feedback from the auditor, will have faded.

The lead auditor should prepare the audit report.

This task has been assigned a dynamic due date set to 24 hours after the audit evidence has been evaluated against criteria.

The audit report is the final record of the audit; the high-level document that clearly outlines a complete, concise, clear record of everything of note that happened during the audit.

Use the sub-checklist below to check off important items included within the audit report:

  • 1
    Audit programme objectives
  • 2
    Individual audit objectives
  • 3
    Individual audit scope
  • 4
    Individual audit criteria
  • 5
    An overview of the auditee & their context
  • 6
    Roles and responsibilities of the audit team
  • 7
    Key dates and locations of the audit
  • 8
    Complete audit findings and corresponding evidence
  • 9
    Audit conclusions
  • 10
    Assessment of audit criteria
  • 11
    Unresolved conflicts of opinion between audit team and auditee

Use the form field below to upload the completed audit report.

Issue ISMS audit report

As stressed in the previous task, that the audit report is distributed in a timely manner is one of the most important aspects of the entire audit process.

Use the email widget below to quickly and easily distribute the audit report to all relevant interested parties.

By default, the widget will send the report to:

  • The auditee main point of contact (Auditee main point of contact)
  • The audit programme manager (Audit programme manager email
  • The lead auditor (Lead auditor email)

Should you want to distribute the report to additional interested parties, simply add their email addresses to the email widget below:

(Conditional) Prepare for audit follow-up

Depending on the outcome of the audit, there may be a need for follow-up action.

Follow-up action might include:

  • Corrective action in response to nonconformities
  • Opportunities for improvement
  • Actions to address risks and opportunities

A time-frame should be agreed upon between the audit team and auditee within which to carry out follow-up action.

As part of the follow-up actions, the auditee will be responsible for keeping the audit team informed of any relevant activities undertaken within the agreed time-frame. The completion and effectiveness of these actions will need to be verified - this may be part of a subsequent audit.

In any case, recommendations for follow-up action should be prepared ahead of the closing meetingand shared accordingly with relevant interested parties.

Use the form fields below to record follow-up action suggestions.

Prepare for closing meeting

Before the closing meeting, the audit team should make adequate preparations.

Make sure the following items are resolved ahead of the closing meeting:

  • 1
    All audit findings are reviewed against audit objectives
  • 2
    Audit conclusions are agreed upon
  • 3
    Recommendations are prepared, if necessary
  • 4
    Follow-up action has been discussed and agreed upon

Conduct closing meeting

Just like the opening meeting, it's a great idea to conduct a closing meeting to orient everyone with the proceedings and outcome of the audit, and provide a firm resolution to the whole process.

The main point of the closing meeting should be to present audit findings and conclusions.

Lead auditors should be responsible for presenting audit findings and conclusions.

You can use the sub-checklist below as a kind of attendance sheet to make sure all relevant interested parties are in attendance at the closing meeting:

  • 1
    Auditee management
  • 2
    Audit programme manager
  • 3
    Individuals responsible for the processes and procedures being audited
  • 4
    The audit client
  • 5
    All members of the audit team
  • 6
    Other relevant interested parties, as determined by the auditee/audit programme

Once attendance has been taken, the lead auditor should go over the complete audit report, with special attention placed on:

  • 1
    If applicable, first addressing any special occurrences or situations that might have impacted the reliability of audit conclusions
  • 2
    Making sure all present are familiar with or have access to the complete audit report
  • 3
    Making sure the auditee is familiar with the audit process
  • 4
    Confirming the time-frame for audit follow-up actions
  • 5
    Diverging opinions / disagreements in relation to audit findings between any relevant interested parties
  • 6
    Opportunities for improvement

Depending on the situation and context of the audit, formality of the closing meeting can vary.

For more formal audits, minutes and records of attendance can be kept.

For more informal (e.g. internal) audits, it can be sufficient to simply communicate audit findings and audit conclusions.

In any case, during the course of the closing meeting, the following should be clearly communicated to the auditee:

  • 1
    That audit evidence is based on sample information, and therefore cannot be fully representative of the overall effectiveness of the processes being audited
  • 2
    The specific methods of audit reporting used
  • 3
    Complete audit findings and conclusions
  • 4
    Advice for how to proceed in light of audit findings
  • 5
    Consequences if audit findings are not addressed
  • 6
    Recommendations for post-audit follow-up activities
  • 7
    The fact that recommendations are not binding

Complete the audit

The audit is to be considered formally complete when all planned activities and tasks have been completed, and any recommendations or future actions have been agreed upon with the audit client.

All information documented during the course of the audit should be retained or disposed of, depending on:

  • The nature of the information (sensitive, proprietary, etc.)
  • Requirements for particular management system standards
  • Any other agreements between relevant interested parties

It should be assumed that any information collected during the audit should not be disclosed to external parties without written approval of the auditee/audit client.

However, it may sometimes be a legal requirement that certain information be disclosed. Should that be the case, the auditee/audit client must be informed as soon as possible.

Sources:

Disclaimer:

  1. Process Street is not affiliated or in partnership with the International Organization for Standardization (ISO). The materials on Process Street’s website are provided on an as-is basis and are for educational purposes. Process Street makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.

  2. Further, Process Street does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site.

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.