ISO 19011:2018 - Guidelines for auditing management systems

Annex A

(informative)

Additional guidance for auditors planning and conducting audits

A.15 Visiting the auditees location

To minimize interference between audit activities and the auditees work processes and to ensure the health and safety of the audit team during a visit, the following should be considered:

a) Planning the visit:

- ensure permission and access to those parts of the auditee’s location, to be visited in accordance with the audit scope;

- provide adequate information to auditors on security, health (e.g. quarantine), occupational health and safety matters and cultural norms and working hours for the visit including requested and recommended vaccination and clearances, if applicable;

- confirm with the auditee that any required personal protective equipment (PPE) will be available for the audit team, if applicable;

- confirm the arrangements with the auditee regarding the use of mobile devices and cameras including recording information such as photographs of locations and equipment, screen shot copies or photocopies of documents, videos of activities and interviews, taking into consideration security and confidentiality matters;

- except for unscheduled, ad hoc audits, ensure that personnel being visited will be informed about the audit objectives and scope.

b) On-site activities:

- avoid any unnecessary disturbance of the operational processes;

- ensure that the audit team is using PPE properly (if applicable);

- ensure emergency procedures are communicated (e.g. emergency exits, assembly points);

- schedule communication to minimize disruption;

- adapt the size of the audit team and the number of guides and observers in accordance with the audit scope, in order to avoid interference with the operational processes as far as practicable;

- do not touch or manipulate any equipment, unless explicitly permitted, even when competent or licensed;

- if an incident occurs during the on-site visit, the audit team leader should review the situation with the auditee and, if necessary, with the audit client and reach agreement on whether the audit should be interrupted, rescheduled or continued;

- if taking copies of documents in any media, ask for permission in advance and consider confidentiality and security matters;

- when taking notes, avoid collecting personal information unless required by the audit objectives or audit criteria.

c) Virtual audit activities:

- ensure that the audit team is using agreed remote access protocols including requested devices, software, etc.;

- if taking screen shot copies of document of any kind, ask for permission in advance and consider confidentiality and security matters and avoid recording individuals without their permission;

- if an incident occurs during the remote access, the audit team leader should review the situation with the auditee and, if necessary, with the audit client and reach agreement on whether the audit should be interrupted, rescheduled or continued;

- use floor plans/diagrams of the remote location for reference;

- maintain respect for privacy during audit breaks.

Consideration needs to be given to disposition of information and audit evidence, irrespective of the type of media, at a later date, once the need for its retention has lapsed.