Auditing ISO 22301 BCMS Standard

Auditing ISO 22301 BCMS Standard - Part I
Master the principles, processes, and practices of effective management systems auditing
What You'll Learn
Audit Fundamentals
Understanding what audits are, why they matter, and how they drive continuous improvement in organizations
ISO 19011 Standards
Comprehensive guidance on the international standard for auditing management systems
Practical Application
Real-world techniques for planning, conducting, and reporting on management system audits
Auditor Competence
Requirements and pathways for developing and maintaining professional auditor qualifications
Chapter 1: Introduction to Auditing
What is an Audit?
At its core, an audit represents a systematic verification process that ensures organizations are doing what they say they are doing. In the context of ISO management systems, audits serve as critical tools for organizational accountability and continuous improvement.
During an ISO audit, auditors verify that the management system follows the relevant ISO standard, check that actions taken to meet organizational objectives are suitable and current, verify that problems have been addressed, and identify opportunities for system improvements.
Understanding Management Systems Audits
A management systems audit can be formally defined as a systematic and independent examination to determine whether activities and related results comply with planned arrangements, and whether these arrangements are implemented effectively and are suitable to achieve objectives as per the defined management system.
This definition encompasses several key concepts that distinguish professional audits from simple inspections or reviews. The emphasis on systematic approach ensures consistency and thoroughness, while independence guarantees objectivity and credibility of findings.
Three Main Types of Management Systems Audits
01
First Party Audit (Internal Audit)
These audits are conducted internally by trained staff members or by external companies on the organization's behalf when internal resources are limited. Internal audits provide organizations with self-assessment capabilities and early detection of issues before external scrutiny.
02
Second Party Audit (Supplier Audit)
Usually carried out by lead auditors within the organization to ensure that suppliers of products or services are meeting their commitments. These audits can also be outsourced to external companies if internal competence is unavailable, helping organizations manage supply chain risks.
03
Third Party Audit (Certification Audit)
Always conducted by Certification Body auditors for the purpose of gaining certification to the relevant ISO standard by an approved body. These audits provide external validation and market credibility for organizational management systems.
Why Audits Matter
Without an audit of your management systems, how can you prove that things are working correctly and being continually improved?
This fundamental question highlights the essential nature of management systems audits. They serve not merely as compliance exercises but as strategic tools for organizational development and risk management.
The Importance of Management Systems Audits
Any organization concerned about how its management system is functioning can take advantage of systematic audits, and the results will go a long way toward ensuring that the system itself is as streamlined and robust as possible. Because these audits target the state of the management system as a whole, they're able to go into great detail across numerous different areas within the organization.
Verification of Conformity
Audits verify that all management system processes and procedures are compliant with industry-standard regulations and organizational requirements
Effectiveness Assessment
They evaluate whether implemented systems are actually achieving their intended objectives and delivering value
Problem Identification
Audits target problem areas and point out ways to improve them, making them among the best options available for ensuring management system effectiveness
Peace of Mind
Organizations gain confidence knowing their management systems are working as well as they possibly can and conforming with relevant standards
The Alternative: Operating Without Audits
To highlight the importance of audits, consider the opposite scenario. If you don't opt for an ISO audit at some point, how will you know for sure that everything you're doing with your management system is working effectively? How can you prove that all your management system processes are compliant with industry-standard regulations?
The beauty of management systems audits is that they take all the hassle off your hands by verifying the conformity, effectiveness, and overall efficiency of the management system you already have in place. Without this independent verification, organizations operate on assumptions rather than evidence, exposing themselves to unnecessary risks and missed opportunities for improvement.
Chapter 2: Terms We Should Know
To understand the subject better, we must be familiar with key terminology and definitions. The following terms form the foundation of professional auditing practice and are essential for clear communication throughout the audit process. These definitions are derived from ISO 19011, the international standard for auditing management systems.
Core Audit Definitions
Audit
A systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Audit Programme
Arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose
Audit Scope
The extent and boundaries of an audit, defining what will and will not be covered during the audit engagement
Audit Plan
A description of the activities and arrangements for a specific audit, including timeline, resources, and methodology
Audit Evidence and Findings
Audit Criteria
The set of requirements used as a reference against which objective evidence is compared. These can include policies, procedures, standards, laws, regulations, or contractual requirements.
Objective Evidence
Data supporting the existence or verity of something. This forms the factual foundation upon which audit conclusions are based.
Audit Evidence
Records, statements of fact, or other information which are relevant to the audit criteria and verifiable through observation, measurement, test, or other means.
Audit Findings
Results of the evaluation of collected audit evidence against audit criteria. Findings can indicate either conformity or nonconformity.
Audit Conclusion
The outcome of an audit, reached after consideration of the audit objectives and all audit findings. This represents the auditor's professional judgment.
Audit Participants
Auditee
The organization as a whole or parts thereof being audited. This is the entity subject to examination and evaluation.
Audit Team
One or more persons conducting an audit, supported if needed by technical experts who bring specialized knowledge.
Auditor
A person who conducts an audit, possessing the necessary competence and independence to evaluate management systems objectively.
Technical Expert
A person who provides specific knowledge or expertise to the audit team in specialized areas requiring additional competence.
Observer
An individual who accompanies the audit team but does not act as an auditor, often present for training or monitoring purposes.
Additional Key Terms
Risk
The effect of uncertainty on objectives, which can be positive or negative
Conformity
The fulfillment of a requirement as specified in applicable standards or procedures
Nonconformity
The non-fulfillment of a requirement, representing a gap between actual and expected performance
Finally, competence refers to the ability to apply knowledge and skills to achieve intended results. This concept is fundamental to auditor qualification and effectiveness throughout the audit process.
Reference Standard: ISO 19011
The terms and definitions presented in this chapter are derived from ISO 19011, the international standard that provides guidelines for auditing management systems. This standard represents the authoritative source for auditing terminology and is recognized globally by auditors, organizations, and certification bodies.
Understanding these terms is not merely an academic exercise—it's essential for effective communication during audits, accurate documentation of findings, and professional practice in the field of management systems auditing.
Chapter 3: Introduction to ISO 19011
Guidelines on Management Systems Auditing
Audit Management Systems are vital for organizations to maintain a culture of continuous improvement while achieving business objectives. ISO 19011 defines the basic principles of audit, audit management programs, performing audits, and managing audit findings while setting out guidelines for evaluating the competency level of people involved in the entire audit process.
Evolution and Emphasis in ISO 19011
The current revision of ISO 19011 places increased emphasis on risk-based audit processes to drive continuous improvement more effectively. The new principles also address harmonizing multiple systems available in an organization with a standardized approach for the entire auditing process.
1
Traditional Approach
Compliance-focused audits checking boxes against requirements
2
Risk-Based Approach
Strategic audits focusing on risks, opportunities, and value creation
3
Integrated Systems
Harmonized auditing across multiple management system standards
Who Should Use ISO 19011?
ISO 19011 is meant for all organizations that need to conduct internal or external audits of management systems they are using. This includes:
Organizations conducting internal audits (first-party audits)
Organizations auditing their suppliers and partners (second-party audits)
Certification bodies conducting third-party audits
Audit program managers planning and overseeing audits
Auditors seeking to improve their professional practice
Comprehensive Guidance Provided by ISO 19011
ISO 19011 offers guidance on every step of auditing a management system or audit program, ensuring that audits are conducted systematically, professionally, and effectively. The standard covers the entire audit lifecycle from planning through follow-up.
Audit Program Objectives
Understanding specific objectives to achieve
Making audit arrangements
Assigning roles and responsibilities
Planning and Preparation
Defining number, scope, location and duration
Determining criteria and checklists
Establishing review procedures
Audit Execution
Planning and reviewing internal documents
Collecting and verifying evidence
Generating findings and preparing reports
Review and Improvement
Assessing results and trends
Analyzing audit program records
Ensuring confidentiality and security
Three Important Sections of ISO 19011
1. Managing an Audit Program
Comprehensive guidance on establishing, implementing, monitoring, reviewing, and improving audit programs to ensure they meet organizational objectives
2. Seven Principles of Auditing
Fundamental principles that make audits effective and reliable tools: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach
3. Auditor Competence
Approaches for evaluating and developing auditor competence, including knowledge, skills, and personal behaviors required for effective auditing
Alignment with Business Objectives
One of the main tenets of the ISO 19011 approach is making sure that the objectives of the audit program are well-aligned with the main business objectives of the organization, and that the needs and best interests of customers and other stakeholders are prioritized.
This strategic alignment ensures that audits deliver real value rather than merely checking compliance boxes. When audit programs support business objectives, they become powerful tools for organizational success rather than bureaucratic exercises.
Growing Importance of Risk Management
An area of increasing importance in the auditing of management systems is the principle of risk management. Modern audits must consider not only whether requirements are met, but also whether risks are adequately identified, assessed, and managed throughout the organization.
This risk-based thinking represents a fundamental shift in how audits are planned and conducted, moving from checklist-based compliance verification to strategic assessment of organizational resilience and capability.
Four Resources to Save Time, Effort, and Money
The ISO 19011 standard offers four key resources to organizations seeking efficient and effective audit programs:
1
Clear Explanation of Principles
A comprehensive explanation of the principles of management systems auditing that form the foundation of professional practice
2
Audit Program Management
Guidance on the management of audit programs, including planning, resource allocation, and monitoring
3
Conducting Audits
Practical guidance on the conduct of internal or external audits, from preparation through follow-up
4
Auditor Competence
Advice on the competence and evaluation of auditors, ensuring audit teams have necessary capabilities
Chapter 4: Principles of Auditing
Auditing is characterized by reliance on a number of fundamental principles. These principles should help to make the audit an effective and reliable tool in support of management policies and controls, by providing information on which an organization can act in order to improve its performance.
Adherence to these principles is a prerequisite for providing audit conclusions that are relevant and sufficient, and for enabling auditors, working independently from one another, to reach similar conclusions in similar circumstances.
The Seven Principles of Auditing
ISO 19011 defines seven key principles that help to ensure audits are effective and reliable tools, supporting the management systems they are auditing by providing actionable information that organizations can use to improve performance. These principles are designed to enable auditors working independently from one another to reach similar conclusions in similar circumstances.
Integrity
The foundation of professionalism
Fair Presentation
Obligation to report truthfully
Due Professional Care
Application of diligence and judgement
Confidentiality
Security of information
Independence
Basis for impartiality
Evidence-based
Rational method for conclusions
Risk-based
Considering risks and opportunities
Principle 1: Integrity - The Foundation of Professionalism
Auditors and audit programme managers should perform their work ethically, in an honest and responsible manner, and using their best judgement. This principle forms the bedrock upon which all other auditing principles rest.
Auditors should:
Undertake audit activities only if competent to do so
Perform work in a fair and unbiased manner
Remain sensitive to influences exerted upon their judgement while carrying out audits
Without integrity, all other audit activities lose their credibility and value. Organizations rely on auditors to provide truthful, uncompromised assessments that serve the organization's best interests.
Principle 2: Fair Presentation - Truthful and Accurate Reporting
All audit findings, including documented evidence, conclusions and written reports should reflect truthfully and accurately the activities of the audit. This includes any obstacles, disagreements with other auditors, or difficulties faced during the audit. Everything must be adequately documented.
Important: All communication, not just documented and reported information, should be truthful, timely, rational, clear, and complete. This principle extends to verbal discussions, informal updates, and all interactions during the audit process.
Principle 3: Due Professional Care - Diligence and Judgement
Auditors should exercise due professional care in all tasks performed during the audit, in accordance with the confidence placed in them by the auditee and in recognition of the importance of the task they are performing.
One of the most important requirements of this principle is that auditors have the ability to make reasoned judgements in all situations during the audit. This requires not only technical knowledge but also professional maturity and wisdom.
Due professional care means being thorough without being pedantic, being inquisitive without being intrusive, and being persistent without being unreasonable.
Principle 4: Confidentiality - Security of Information
Auditors should respect the confidentiality of all information they're dealing with throughout the audit. This means exercising due diligence in making sure all information acquired during the course of their duties as auditors is respected and adequately protected.
Information Protection
Safeguarding sensitive business information, trade secrets, and proprietary data encountered during audits
Special Precautions
Taking extra care when handling particularly sensitive or confidential information that could harm the organization if disclosed
Ongoing Obligation
Maintaining confidentiality not only during the audit but also after its completion, potentially indefinitely
Principle 5: Independence - Audit Impartiality and Objectivity
Audits, by nature, should be independent of the activity being audited, to the furthest extent possible. They should not interfere with the activity, nor should they hold any bias or conflict of interest.
If possible, internal audits should preferably be independent from the function being audited. Key to all audits is the pursuit of objectivity via rational process, to make sure all findings and results from the audit are based only on audit evidence.
Note for Small Organizations: Smaller organizations may find it difficult to enlist truly independent auditors. In such cases, every effort should be made to eliminate bias and encourage the pursuit of rational objectivity through clear procedures and external oversight.
Principle 6: Evidence-Based Approach - Rational, Reliable Results
Evidence is one of the pillars of a successful audit, and the foundation of rational, reliable, reproducible results. Audit evidence should be based on samples of available information, in acknowledgement of the fact that audits are conducted within limited periods of time, with limited resources.
01
Set Clear Objectives
Define what the sampling should achieve and what questions it should answer
02
Determine Sample Parameters
Decide how much will be sampled and what specific items or processes to include
03
Select Sampling Method
Choose appropriate sampling techniques based on audit objectives and available resources
04
Decide Sample Size
Determine how many samples will provide sufficient confidence in the results
05
Carry Out Sampling
Execute the sampling plan systematically and consistently
06
Document Results
Record and report all findings from the sampling process
Principle 7: Risk-Based Approach - Considering Risks and Opportunities
Risk management is a substantial factor when planning for, conducting, and documenting an audit. The goal of a risk-based approach is simply to orient the audits more clearly towards matters that are important for audit clients and the achievement of audit objectives.
This principle represents a fundamental shift from traditional compliance-based auditing to strategic, value-adding audits that focus on what matters most to the organization. By considering risks and opportunities, auditors help organizations not just comply with standards but actually improve their performance and resilience.
Types of ISO Audits
ISO 19011 is a standard designed to help companies perform audits effectively. When it comes to ISO standards, there are two main different types of audits that ISO 19011 addresses:
Internal Audits (First-Party)
Conducted by or on behalf of the organization itself for internal purposes and can form the basis for self-declaration of conformity
External Audits (Second-Party and Third-Party)
Conducted by parties having an interest in the organization, such as customers (second-party) or independent certification bodies (third-party)
ISO 19011 Application and Flexibility
ISO 19011 specializes in first and second-party audits and is designed for use by audit teams of all types and sizes, from single auditors to larger teams suited for full-scale enterprise audits.
Guidelines, Not Requirements
Remember that ISO 19011 is a set of guidelines; it's not a complete set of requirements that needs to be followed step-by-step. The guidance offered by ISO 19011 should be adopted as appropriate to suit the specific needs and requirements of the audit programme in question.
Third-Party Audit Support
ISO 19011 can also be used as additional guidance for third-party audits, but the specific requirements for auditing management systems are set out in ISO/IEC 17021-1. These requirements are for use by certified lead auditors or registered bodies when carrying out certification audits.
Chapter 5: Managing an Audit Program
Clause 5 of the ISO 19011 guidelines provides comprehensive guidance on the audit program management function that an auditor needs to reference when auditing management systems. Effective audit program management is crucial for ensuring that audits deliver value and support organizational objectives.
Key Responsibilities for Audit Program Management
Individuals having responsibility for the management of an audit program should ensure comprehensive oversight and strategic direction for all audit activities:
Establish and Plan the Program
The audit program is established with clear structure, planning, and direction aligned with organizational needs
Identify Risks and Opportunities
Risks and opportunities affecting the audit program are systematically identified and addressed
Define Clear Objectives
Audit program objectives are clearly defined and communicated to all stakeholders
Match Competence to Scope
The competence of audit teams matches the audit scope and objective for each audit engagement
Allocate Adequate Resources
Adequate resources are available for all audits in the audit program, including time, budget, and personnel
Monitor and Improve
Individual audits are monitored for evaluation and continuous improvement of the audit program
Distinguishing Audit Program Management from Individual Audits
It is important to note that management of an audit program is not the purview of an individual auditor. Managing an audit program must be distinguished from planning and conducting individual audits, as they are two separate and unique processes.
However, in some small organizations, both functions may be conducted by the same person. When this occurs, it's essential to maintain clear separation between strategic program management decisions and tactical audit execution activities.
The audit program provides the strategic framework, while individual audits represent tactical implementations of that strategy.
Objectives of an Audit Program
In many organizations audit objectives are often not explicitly set, but the implied objective is to carry out the audits as required by the relevant management system standard. Granted, this is perhaps a mandatory objective, but it does little to guide the audit program strategically.
In addition to measuring compliance to customer, regulatory, and internal requirements, well-designed audit programs could help identify unaddressed risks, evaluate the degree of alignment of processes with their objectives and metrics, and identify waste in the management system.
Examples of Audit Program Objectives
System Improvement
Identify opportunities for the improvement of a management system and its performance, driving continuous enhancement
Context Assessment
Evaluate the capability of the auditee to determine its context, including external and internal issues affecting the organization
Risk Management
Evaluate the capability of the auditee to determine risks and opportunities and to identify and implement effective actions to address them
Requirements Conformity
Conform to all relevant requirements, e.g. statutory and regulatory requirements, compliance commitments, requirements for certification
Supplier Confidence
Obtain and maintain confidence in the capability of external providers and supply chain partners
System Effectiveness
Determine the continuing suitability, adequacy and effectiveness of the auditee's management system
Strategic Alignment
Evaluate the compatibility and alignment of the management system objectives with the strategic direction of the organization
Life-Cycle Perspective on Audit Objectives
The life-cycle perspective included in ISO 19011 indicates that audit objectives are likely to change over time as the level of maturity of products, the management system, and the organization evolve.
Early-stage audits might focus heavily on compliance and system establishment, while mature systems benefit from audits that emphasize optimization, innovation, and strategic value creation.
In other words, compliance to poorly designed processes won't lead to a very effective or efficient organization. As systems mature, audit objectives should evolve to address more sophisticated challenges and opportunities.
Risks and Opportunities of an Audit Program
The objectives of the audit program can be affected by the risks and opportunities related to the context of the auditee. The auditor(s) managing the program should identify the risks and potential opportunities associated with the audit and present them to the auditee so they can be addressed proactively.
Audit Program Risk Categories
Risks may be associated with the following categories, each requiring specific attention and mitigation strategies:
Planning Risks
Failure to set relevant audit objectives, determine appropriate extent, number, duration, locations and schedule, or allocate sufficient time, equipment and training resources
Selection Risks
Issues with audit team selection and communication processes, both internal and external channels
Implementation Risks
Ineffective coordination of audits within the program, or failure to consider information security and confidentiality requirements
Documentation Risks
Ineffective determination of necessary documented information required by auditors and relevant interested parties, or failure to adequately protect audit records
Monitoring Risks
Ineffective monitoring of audit program outcomes and failure to identify improvement opportunities
Availability Risks
Lack of auditee availability and cooperation, or insufficient availability of evidence to be sampled
Opportunities for Audit Program Improvement
While managing risks is important, progressive audit programs also actively seek opportunities for enhancement and value creation:
Allowing multiple audits to be conducted simultaneously for efficiency
Minimizing time and distances to audit sites through strategic planning
Matching the level of competence of the audit team to actual needs
Aligning audit dates with availability of auditee's staff
Creating an Audit Program
The purpose of the audit programme is to oversee the whole audit process, including planning and scope, which includes determining which management system (or systems) will be audited, and the specific requirements. The full scope of the audit system will also depend on the size of the auditee, as well as the nature and complexity of the management system being audited.
During this stage, audit planning and preparations are made, including review of all available documented information for the management system being audited, and establishment of clear audit objectives and criteria.
Essential Components of an Audit Program
An audit program includes several critical elements that ensure audits are planned, executed, and monitored effectively:
1
Establish the Program
Create a management system audit program with clear structure and governance
2
Evaluate Effectiveness
Use your audit program to evaluate the overall effectiveness of your auditee's management systems
3
Monitor Implementation
Monitor and measure the implementation of your management system audit program against objectives
4
Review for Improvement
Review the management system audit program regularly to identify possible improvements and evolving needs
Understanding the Auditee's Context
In order to understand the context of the auditee, the audit programme should consider several critical factors that influence how audits should be planned and conducted:
Organizational Objectives
Understanding what the organization is trying to achieve and how the management system supports those goals
External and Internal Issues
Relevant factors from the operating environment that could affect the audit approach and findings
Stakeholder Expectations
The needs and expectations of relevant interested parties who have stakes in the audit outcomes
Security Requirements
Information security and confidentiality requirements that must be observed throughout the audit process
Required Information for the Audit Program
The audit programme should include comprehensive information and identify resources to enable audits to be conducted effectively and efficiently within specified time frames:
Core Program Elements
Objectives for the audit programme
Risks and opportunities with actions to address them
Scope (extent, boundaries, locations) of each audit
Schedule (number/duration/frequency) of audits
Audit types (internal or external)
Execution Elements
Audit criteria against which to evaluate
Audit methods to be employed
Criteria for selecting audit team members
Relevant documented information
Note: Some of this information may not be available until more detailed audit planning is complete. The audit program should be flexible enough to accommodate refinements as planning progresses.
Monitoring and Reviewing the Audit Program
The implementation of the audit programme should be monitored and measured on an ongoing basis to ensure its objectives have been achieved. This continuous oversight allows for timely corrections and improvements.
The audit programme should be reviewed regularly to identify needs for changes and possible opportunities for improvements. This review process should be systematic and involve relevant stakeholders to ensure the program remains aligned with organizational needs and delivers continuing value.
Responsibilities of the Audit Program Manager
The role of the audit program manager should be more than creating a schedule, selecting auditors to carry out the schedule, and tracking performance against the schedule. Setting audit program objectives requires the program manager take on a leadership role.
This leadership includes being knowledgeable of the organization's strategy and objectives, expectations of external and internal stakeholders, and the key risks and opportunities to be managed. Additionally, the audit program manager should be managing processes and related technical and human resources to provide effective and efficient results.
Determining Audit Program Resources
When determining resources for the audit programme, comprehensive consideration should be given to multiple factors that influence audit effectiveness:
Financial and Time Resources
Financial and time resources necessary to develop, implement, manage and improve audit activities
Audit Methods
Appropriate audit methods for the context, including on-site, remote, and combined approaches
Personnel Availability
Individual and overall availability of auditors and technical experts having competence appropriate to particular audit programme objectives
Program Scope
The extent of the audit programme and audit programme risks and opportunities
Travel Considerations
Travel time and cost, accommodation and other auditing needs including time zone impacts
Technology Resources
Availability of information and communication technologies, tools, technology and equipment required
Documentation
Availability of necessary documented information, as determined during audit programme establishment
Facility Requirements
Requirements related to the facility, including security clearances, personal protective equipment, and ability to wear clean room attire
Managing Audit Resources Strategically
Obviously human resource management is key to the audit process, but audit program managers should consider several strategic questions about resource management:
Skill Development
How many audit program managers continually have explicit processes for skill development and succession planning?
Technology Tools
What hardware and software would allow better management of audits and the audit program, including virtual audits and trend analysis?
Career Value
Is being an auditor in the organization adding value to the individual's experience portfolio and career success?
These strategic considerations ensure the audit program remains sustainable, effective, and attractive to talented professionals over the long term.
Chapter 6: Implementing an Audit Program
Conduct and Control Audit Activities
The implementation phase of an audit program involves coordinating multiple activities to ensure individual audits are conducted effectively and deliver value to the organization. This chapter provides guidance on the key activities required to successfully implement audit programs.
Establishing Initial Contact with Auditee
The first step in implementing individual audits is establishing effective communication and coordination with the auditee organization:
Establish Communications
Initiate contact and establish clear communication channels with the auditee
Confirm Agreement
Confirm your agreement with the auditee regarding audit scope, timing, and expectations
Share Information
Exchange relevant information about the audit process, requirements, and logistics
Gather Information
Request and collect information about the auditee's management system and processes
Request Access
Request access to necessary documents, records, personnel, and facilities
Make Arrangements
Finalize practical arrangements for conducting the audit, including schedules and resources
Determining the Feasibility of the Audit
Before proceeding with detailed audit planning, it's essential to assess whether the audit can actually be conducted as intended:
Ensure you are reasonably confident that your audit objectives can be achieved with available resources and cooperation
Verify that you have everything you need to plan and perform your audit effectively
Confirm that the auditee can provide necessary access, information, and personnel
Identify any constraints or limitations that might affect audit effectiveness
If feasibility concerns arise, these should be addressed before proceeding, potentially requiring adjustments to scope, timing, or approach.
Preparing Audit Activities - Document Review
Perform Document Review
Document review is a critical preparation activity that provides auditors with understanding of the management system before conducting on-site activities:
1
Select Documents
Choose relevant management system documentation for review
2
Review System Documents
Examine the auditee's management system documents thoroughly
3
Gather Information
Collect information to prepare for audit activities
4
Establish Overview
Develop an overview of system documentation and requirements
Developing the Audit Plan
The audit plan is a detailed roadmap that guides all audit activities. Development of the plan involves several sequential steps:
Study Source Documents
Review relevant standards, procedures, and documented information to understand requirements
Allocate Planning Responsibility
Assign audit planning responsibility to the team leader with clear accountability
Consider Audit Conduct
Think about how you plan to conduct your audit, including methods and sequence
Plan Usage
Consider how you intend to use your audit plan and who needs to review and approve it
Preparing the Audit Plan Document
Prepare Comprehensive Plan
Develop your management system audit plan with all necessary details including:
Audit objectives and scope
Audit criteria and reference documents
Audit schedule and timeline
Audit team member assignments
Resource requirements
Reporting requirements
Discuss and Present
Effective communication of the audit plan is essential:
Discuss your audit plan with the audit client
Present your audit plan to the auditee management
Obtain agreement on the plan's content and approach
Address any concerns or questions
Confirm availability of resources and personnel
Assigning Work to Audit Team Members
Effective work assignment ensures that audit activities are conducted efficiently and that each team member understands their responsibilities:
Consult Team Members
Discuss assignments with audit team members before finalizing roles and responsibilities to ensure understanding and buy-in
Assign Responsibilities
Clearly assign specific roles and responsibilities to each auditor based on their competence and the audit requirements
Hold Team Meetings
Conduct regular team meetings or briefings whenever work assignments need to be changed or reallocated during the audit
Preparing Audit Working Papers
Working papers are essential tools for auditors to collect, organize, and document information during the audit. These documents serve multiple purposes:
Prepare appropriate audit working papers tailored to the specific audit requirements
Use working papers to systematically collect audit information during interviews and observations
Control your audit working papers and records to ensure completeness and security
Review your audit working papers and records regularly to ensure quality and identify findings
Well-designed working papers improve audit efficiency, ensure consistent information collection, and provide documentation supporting audit findings and conclusions.
Chapter 7: Conducting an Audit
Establishing the Audit Sequence
Conducting audit activities requires careful sequencing and coordination of multiple tasks to ensure thorough examination while respecting the auditee's operations and time constraints. This chapter guides you through the complete audit execution process.
Key Activities During Audit Execution
Opening Meeting
Conduct opening audit meeting to set expectations and establish communication
Document Review
Review auditee's documents during audit to verify implementation
Communication
Maintain effective communication with participants throughout the audit
Assign Guides
Work with guides and observers to facilitate audit activities
Collect Information
Gather and verify information systematically during the audit
Document Findings
Develop and document audit findings based on objective evidence
Prepare Conclusions
Formulate audit conclusions from comprehensive review of findings
Present Results
Present audit findings and conclusions at closing meeting
Conducting the Opening Meeting
For a new auditor, the opening meeting is critical. The manner in which you conduct yourself, and how organized you are, establishes your credibility and sets the tone for the audit to follow. If you appear tentative and unorganized, your audit will probably not go smoothly.
Many Certification Bodies do not conduct effective opening meetings, yet these are extremely important and a valuable part of the audit process. With proper attention, the opening meeting sets a positive tone and establishes mutual understanding that facilitates the entire audit process.
Opening Meeting Guidelines - Part 1
01
Introduce Participants
Introduce yourself and team members, noting each person's responsibilities. Ask auditees to do the same. Identify communication links between teams.
02
Record Attendees
Use a pre-printed attendance form. Have everyone print their name, title, and sign. Only invite auditee management and those responsible for functions to be audited.
03
Confirm Purpose and Scope
Revisit the scope and objective of the audit, even if unchanged. Discuss and resolve any differences or areas of conflict.
04
Discuss Team Roles
Ensure everyone knows who is doing what, at what time, and where they should be throughout the audit.
05
Confirm Working Hours
Find out when auditees end their day and lunch break preferences. Confirm subject matter experts will be available per the audit plan.
Opening Meeting Guidelines - Part 2
01
Get Guide Names
Obtain names of guides and contacts for areas being audited. Assigned guides should be available immediately after the opening meeting.
02
Indicate Criteria
Remind participants that you will audit against specific ISO standards, organization's internal policies, legal requirements, and contractual commitments.
03
Emphasize Objectives
Set a tone of positivity. Indicate you are searching for evidence of compliance, not trying to uncover nonconformities. Semantics matter.
04
Confirm Confidentiality
Point out that everything the audit team sees will remain confidential. Explain confidentiality agreements are legally binding.
05
Present Audit Plan
Ensure sequence, times and appropriate people are available as scheduled. Be prepared to change the sequence of audit activities if needed.
Opening Meeting Guidelines - Part 3
Continuing Key Topics
Discuss audit conduct: Provide summary of methods and procedures. Confirm audit plan. Remind that schedule may change as needed.
Review findings documentation: Explain use of NCs, Concerns, OFIs, or grading methodology. Clarify how findings can be addressed during audit.
Discuss auditee responsibilities: Explain expectations if nonconformities, opportunities for improvement or concerns are found.
Minimize disruption: Indicate your team will try not to upset operations. Be sensitive to normal workload continuing.
Finalizing the Meeting
Confirm debriefing timing: Try to be punctual but notify everyone to be flexible on start and end times.
Safety induction: Ask about audit team safety and significant hazards. Request induction if not offered.
Confirm logistics: Confirm work area, printer access, wireless password, monitor access, contact methods.
Confirm closing meeting: For multiday audits, schedule daily debriefings and final closing meeting.
Note report timing: Be clear and specific about when they can expect the final report.
Explain appeals: Describe the appeals process for disagreements with findings or approach.
Concluding the Opening Meeting
Discuss and resolve any issues of the audit plan and make sure there are no lingering uncertainties. Be polite and thank all participants in advance for their cooperation. Don't take a "15-minute bathroom break" after the opening meeting ends. Start the audit immediately to maintain momentum and convey a sense of urgency.
Common Opening Meeting Pitfalls
Any experienced auditor will tell you that things do not often go as planned. Here are some common situations that arise during the opening meeting and how to handle them professionally:
Management Doesn't Attend
This happens quite often when executives double book or get trapped in meetings. Capture this in the audit report using attendance records. Follow up post-audit to give them a personal rundown on findings.
Schedule No Longer Works
Taking a hard line rarely works and sets a poor tone. Work with the audit representative to adjust the schedule flexibly while maintaining audit objectives.
Documentation Unavailable
This is indeed a problem. Find out why and confer with the lead auditor to decide whether to continue or delay the audit. Document the situation clearly.
Conducting Audit of the Process
This is among the key activities that an auditor performs. In fact, this is the main element and all other activities depend upon this phase. Here the auditor actually applies audit techniques such as interview, physical observation, examination, testing, verification or confirmation from related parties, and other similar methods to review the effectiveness of the areas being audited.
Example: Auditing the Human Resource Function
Let's examine a practical example of how to audit a specific function using structured audit questions and checklists.
Function/Process: Human Resource
1
Function Overview
Brief about the function and what it does routinely - understand the scope and key activities
2
Documented HR Process
Verify: All process activities documented with version control, key activities categorized, information security requirements defined, responsibility matrix established, performance measurement process, records retention and classification defined
3
Joining Process
Review: Overview of employee hire process, approval of hiring requirements, employee screening per legal requirements, contract acceptance, confidentiality agreements, verification of joining documents
4
Access to Systems
Check: Periodic HR user access reviews, reconciliation of active/resigned employees with user database maintained by IT
5
Training and Awareness
Sample review: Training Need Identification process, periodic information security training for all people, verification of latest training coverage and effectiveness, process to obtain training feedback
6
Resignation Process
Examine: Overview of resignation process, sample of recent resignations (last 6 months), exit clearance from stakeholders, approvals for relieving and final settlement, timely IT access revocation
7
Compliances
Review: Legal requirements applicable to HR, instances of disciplinary action/grievances, HR committee meeting frequency, third party service contracts and risk assessments
Post-Audit Activities
Conducting the Audit Closing Meeting
When someone is reviewing your work, how important is it to know how well you did? It's pretty important. Well, the same applies to companies who undergo audits, and closing meetings provide that opportunity for companies to learn just how well they did.
Audits are integral to quality assurance and involve an impartial review of a company's records, processes, and procedures. When an audit is completed, a closing meeting will follow to discuss the audit findings and any outstanding issues. Usually, the lead auditor will lead this meeting. The closing meeting is one of the last crucial steps in the auditing process.
Conducting a Closing Meeting - Key Topics
1
Introductions
If there are new attendees who haven't been met yet, make introductions. Keep a record of attendees for audit documentation and take minutes.
2
Express Appreciation
Show appreciation for everyone's time and cooperation to keep things positive. Thank the attendees for their support throughout the audit.
3
Reiterate Purpose and Scope
Remind everyone what the purpose and scope of the audit was. Briefly mention auditing activities performed and that only a limited sample of documents were reviewed.
4
Explain Scoring Criteria
If a scoring or rating system is used in the audit report, the criteria must be explained to minimize misunderstandings about audit findings.
5
Present Preliminary Findings
This is probably the most anticipated part. Review the audit findings with company management, communicating clearly and ensuring everyone understands.
6
Allow Clarifications
Give the management team opportunity to ask questions and respond to findings. Discussions here can influence the final audit report, so resolve outstanding issues.
7
Obtain Acknowledgements
Management should acknowledge they understand the audit findings. Seek verbal acknowledgement (record in minutes) or ask everyone to sign a paper copy of preliminary report.
After the Closing Meeting
Following the meeting, the audit team leader should complete several important tasks:
Summarize the meeting based on minutes taken during the discussion
Record the agreed upon dates that the corrective action plan should be submitted
Be concise and constructive in all communications
Reiterate that the audit team is only responsible for identifying the need for corrective action, not what specific action should be taken
Note that there may be a follow-up audit to confirm the effectiveness of corrective action
State specifically when the report will be issued
By clicking submit button, I confirm that I have read, understood, and will follow the information security and privacy responsibilities outlined in this guide, and will promptly report any security concerns.
Submit
NUK 9 Information Security Auditors LLP [NUK 9 Auditors]
E702, Arjun, NL Complex, Anand Nagar, Dahisar East
Mumbai, Maharashtra - 400068. India
This material, including all content, graphics, systems, and tools referenced or used herein, is the intellectual property of NUK 9 Auditors. Unauthorized copying, distribution, modification, or use of this material or related systems is strictly prohibited and may result in disciplinary or legal action.
Use of content is permitted only for internal team, it's contracted services and authorized purposes in accordance with company policies.