Guidelines for Auditing Management Systems

ISO 19011:2018 - Guidelines for auditing management systems

5 Managing an audit programme

5.4 Establishing the audit programme

5.4.3 Establishing extent of audit programme

The individual(s) managing the audit programme should determine the extent of the audit programme. This can vary depending on the information provided by the auditee regarding its context (see 5.3).

NOTE In certain cases, depending on the auditee's structure or its activities, the audit programme might only consist of a single audit (e.g. a small project or organization).

Other factors impacting the extent of an audit programme can include the following:

a) the objective, scope and duration of each audit and the number of audits to be conducted, reporting method and, if applicable, audit follow up;

b) the management system standards or other applicable criteria;

c) the number, importance, complexity, similarity and locations of the activities to be audited;

d) those factors influencing the effectiveness of the management system;

e) applicable audit criteria, such as planned arrangements for the relevant management system standards, statutory and regulatory requirements and other requirements to which the organization is committed;

f) results of previous internal or external audits and management reviews, if appropriate;

g) results of a previous audit programme review;

h) language, cultural and social issues;

i) the concerns of interested parties, such as customer complaints, non-compliance with statutory and regulatory requirements and other requirements to which the organization is committed, or supply chain issues;

j) significant changes to the auditee’s context or its operations and related risks and opportunities;

k) availability of information and communication technologies to support audit activities, in particular the use of remote audit methods (see A.16);

l) the occurrence of internal and external events, such as nonconformities of products or service, information security leaks, health and safety incidents, criminal acts or environmental incidents;

m) business risks and opportunities, including actions to address them.