19011 Section 5: Managing an Audit Programme Flashcards
5.1
General
5.2
Establishing audit programme objectives
5.3
Determining and evaluating audit programme risks and opportunities
5.4
establishing the audit programme
5.5
Implementing the Audit Programme
5.6
Monitoring Audit Programme
5.7
Reviewing and Improving Audit Programme
5.1. In order to understand the context of the auditee, the audit programme should take into account the auditee’s:
- organizational objectives;
- relevant external and internal issues;
- the needs and expectations of relevant interested parties;
- information security and confidentiality requirements.
5.1 The audit programme should include information and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames. The information should include:
a) objectives for the audit programme;
b) risks and opportunities associated with the audit programme (see 5.3) and the actions to address them;
c) scope (extent, boundaries, locations) of each audit within the audit programme;
d) schedule (number/duration/frequency) of the audits;
e) audit types, such as internal or external;
f) audit criteria;
g) audit methods to be employed;
h) criteria for selecting audit team members;
i) relevant documented information.
5.2 objectives can be based on consideration of the following:
a) needs and expectations of relevant interested parties, both external and internal;
b) characteristics of and requirements for processes, products, services and projects, and any changes to them;
c) management system requirements;
d) need for evaluation of external providers;
e) auditee’s level of performance and level of maturity of the management system(s), as reflected in relevant performance indicators (e.g. KPIs), the occurrence of nonconformities or incidents or complaints from interested parties;
f) identified risks and opportunities to the auditee;
g) results of previous audits.
5.2 Examples of audit programme objectives can include the following:
1) identify opportunities for the improvement of a management system and its performance;
2) evaluate the capability of the auditee to determine its context;
3) evaluate the capability of the auditee to determine risks and opportunities and to
identify and implement effective actions to address them;
4) conform to all relevant requirements, e.g. statutory and regulatory requirements,
compliance commitments, requirements for certification to a management system
standard;
5) obtain and maintain confidence in the capability of an external provider;
6) determine the continuing suitability, adequacy and effectiveness of the management system;
7) evaluate the compatibility and alignment of the management system objectives with the strategic direction of the organization.
5.4.1
5.4.1 Roles and responsibilities of the individual(s) managing the audit programme
5.4.2
5.4.2 Competence of individual(s) managing audit programme
5.4.3
5.4.3 Establishing extent of audit programme
5.4.4
5.4.4 Determining audit programme resources