ISO 19011:2018 - Guidelines for auditing management systems
6 Conducting an Audit
6.3 Preparing audit activities
6.3.2 Audit planning
The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit programme and the documented information provided by the auditee.
Audit planning should consider the risks of the audit activities on the auditee’s processes and provide the basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives effectively.
The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as the risk of not achieving the audit objectives. In planning the audit, the audit team leader should consider the following:
a) the composition of the audit team and its overall competence;
b) the appropriate sampling techniques (see A.6.);
c) opportunities to improve the effectiveness and efficiency of the audit activities;
d) the risks to achieving the audit objectives created by ineffective audit planning;
e) the risks to the auditee created by performing the audit.
risks to the auditee can result from the presence of the audit team members adversely influencing the auditee’s arrangements for health and safety, environment and quality, and its products, services, personnel or infrastructure (e.g. contamination in clean room facilities).
For combined audits, particular attention should be given to the interactions between operational processes and any competing objectives and priorities of the different management systems.
The scale and content of the audit planning can differ, for example, between initial and subsequent audits, as well as between internal and external audits. Audit planning should be sufficiently flexible to permit changes which can become necessary as the audit activities progress.
Audit planning should address or reference the following:
a) the audit objectives;
b) the audit scope, including identification of the organization and its functions, as well as processes to be audited;
c) the audit criteria and any reference documented information;
d) the locations (physical and virtual), dates, expected time and duration of audit activities to be conducted, including meetings with the auditee’s management;
e) the need for the audit team to familiarize themselves with auditee’s facilities and processes (e.g. by conducting a tour of physical location(s), or reviewing information and communication technology);
f) the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient audit evidence;
g) the roles and responsibilities of the audit team members, as well as guides and observers or interpreters;
h) the allocation of appropriate resources based upon consideration of the risks and opportunities related to the activities that are to be audited.
Audit planning should take into account, as appropriate:
- identification of the auditee’s representative(s) for the audit;
- the working and reporting language of the audit where this is different from the language of the auditor or the auditee or both;
- the audit report topics;
- logistics and communications arrangements, including specific arrangements for the locations to be audited;
- any specific actions to be taken to address risks to achieving the audit objectives and opportunities arising;
- matters related to confidentiality and information security;
- any follow-up actions from a previous audit or other source(s) e.g. lessons learned, project reviews;
- any follow-up activities to the planned audit;
- coordination with other audit activities, in case of a joint audit.
Audit plans should be presented to the auditee. Any issues with the audit plans should be resolved between the audit team leader, the auditee and, if necessary, the individual(s) managing the audit programme.
.Copyright © 2021 OSH ISIS