ISO 19011

Question 1

ISO 19011 Clauses

Answer 1

4. Principles of auditing
5. Managing an audit programme
6. Conducting an audit
7. Competence and Evaluation of auditors

Question 2

Clause 5: Managing an audit programme

Answer 2

5.2 Establishing audit programme objectives
5.3 Determining and evaluating audit programme risks and opportunities
5.4 Establishing the audit programme
5.5 Implementing audit programme
5.6 Monitoring audit programme
5.7 Reviewing and improving audit programme

Question 3

Clause 6: Conducting an audit

Answer 3

6.2 Initiating audit
6.3 Preparing audit activities
6.4 Conducting audit activities
6.5 Preparing and distributing audit report
6.6 Completing audit
6.7 Conducting audit follow-up.

Question 4

Clause 7: Competence and evaluation of auditors

Answer 4

7.2 Determining auditor competence
7.3 Establishing auditor evaluation criteria
7.4 Selecting appropriate auditor evaluation method
7.5 Conducting auditor evaluation
7.6 Maintaining and improving auditor competence

Question 5

systematic, independent and documented process for obtaining objective evidence (3.8) and evaluating it objectively to determine the extent to which the audit criteria (3.7) are fulfilled

Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organization itself.

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits are conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf. Third party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity or governmental agencies.

[SOURCE: ISO 9000:2015, 3.13.1, modified — Notes to entry have been modified]

Answer 5

audit

Question 6

audit (3.1) carried out together at a single auditee (3.13) on two or more management systems (3.18) Note 1 to entry: When two or more discipline-specific management systems are integrated into a single management system this is known as an integrated management system.

Answer 6

combined audit

Question 7

audit (3.1) carried out at a single auditee (3.13) by two or more auditing organizations

Answer 7

joint audit

Question 8

arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a specific purpose

Answer 8

audit programme

Question 9

extent and boundaries of an audit (3.1) Note 1 to entry: The audit scope generally includes a description of the physical and virtual-locations, functions, organizational units, activities and processes, as well as the time period covered. Note 2 to entry: A virtual location is where an organization performs work or provides a service using an on-line environment allowing individuals irrespective of physical locations to execute processes.

SOURCE: ISO 9000:2015, 3.13.5, modified — Note 1 to entry has been modified, Note 2 to entry has been added]

Answer 9

audit scope

Question 10

description of the activities and arrangements for an audit

Answer 10

audit plan

Question 11

set of requirements (3.23) used as a reference against which objective evidence (3.8) is compared Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance” or “non-compliance” are often used in an audit finding (3.10). Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual obligations, etc. [SOURCE: ISO 9000:2015, 3.13.7, modified — the definition has been changed and Notes to entry 1 and 2 have been added]

Answer 11

audit criteria

Question 12

data supporting the existence or verity of something Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means. Note 2 to entry: Objective evidence for the purpose of the audit (3.1) generally consists of records, statements of fact, or other information which are relevant to the audit criteria (3.7) and verifiable.

Answer 12

objective evidence

Question 13

records, statements of fact or other information, which are relevant to the audit criteria (3.7) and verifiable

Answer 13

audit evidence

Question 14

results of the evaluation of the collected audit evidence (3.9) against audit criteria (3.7) Note 1 to entry: Audit findings indicate conformity (3.20) or nonconformity (3.21). Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good practices. Note 3 to entry: In English if the audit criteria are selected from statutory requirements or regulatory requirements, the audit finding is termed compliance or non-compliance.

Answer 14

audit findings

Question 15

outcome of an audit (3.1), after consideration of the audit objectives and all audit findings

Answer 15

audit conclusion

Question 16

organization or person requesting an audit (3.1) Note 1 to entry: In the case of internal audit, the audit client can also be the auditee (3.13) or the individual(s) managing the audit programme. Requests for external audit can come from sources such as regulators, contracting parties or potential or existing clients.

Answer 16

audit client

Question 17

organization as a whole or parts thereof being audited

Answer 17

auditee

Question 18

one or more persons conducting an audit (3.1), supported if needed by technical experts (3.16) Note 1 to entry: One auditor (3.15) of the audit team (3.14) is appointed as the audit team leader. Note 2 to entry: The audit team can include auditors-in-training.

Answer 18

audit team

Question 19

person who conducts an audit

Answer 19

auditor

Question 20

person who provides specific knowledge or expertise to the audit team (3.14) Note 1 to entry: Specific knowledge or expertise relates to the organization, the activity, process, product, service, discipline to be audited, or language or culture. Note 2 to entry: A technical expert to the audit team (3.14) does not act as an auditor (3.15).

Answer 20

technical expert

Question 21

individual who accompanies the audit team (3.14) but does not act as an auditor

Answer 21

observer

Question 22

set of interrelated or interacting elements of an organization to establish policies and objectives, and processes (3.24) to achieve those objectives Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management, financial management or environmental management. Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives. Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.

Answer 22

management system

Question 23

effect of uncertainty Note 1 to entry: An effect is a deviation from the expected – positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence and likelihood. Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

Answer 23

risk

Question 24

fulfilment of a requirement

Answer 24

conformity

Question 25

non-fulfilment of a requirement

Answer 25

nonconformity

Question 26

ability to apply knowledge and skills to achieve intended results

Answer 26

competence

Question 27

need or expectation that is stated, generally implied or obligatory Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied. Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

Answer 27

requirement

Question 28

set of interrelated or interacting activities that use inputs to deliver an intended result

Answer 28

process

Question 29

measurable result Note 1 to entry: Performance can relate either to quantitative or qualitative findings. Note 2 to entry: Performance can relate to the management of activities, processes (3.24), products, services, systems or organizations.

Answer 29

performance

Question 30

extent to which planned activities are realized and planned results achieved

Answer 30

effectiveness

Question 31

Clause 4: Principles of auditing (seven principles outline)

Answer 31

a) Integrity: the foundation of professionalism
b) Fair presentation: the obligation to report truthfully and accurately
c) Due professional care: the application of diligence and judgement in auditing
d) Confidentiality: security of information
e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process
g) Risk-based approach: an audit approach that considers risks and opportunities

Question 32

Auditing is characterized by reliance on a number of principles. These principles should help to make the audit an effective and reliable tool in support of management policies and controls, by providing information on which an organization can act in order to improve its performance. Adherence to these principles is a prerequisite for providing audit conclusions that are relevant and sufficient, and for enabling auditors, working independently from one another, to reach similar conclusions in similar circumstances.

Answer 32

Principles of auditing

Question 33

Auditors and the individual(s) managing an audit programme should:
— perform their work ethically, with honesty and responsibility;
— only undertake audit activities if competent to do so;
— perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;
— be sensitive to any influences that may be exerted on their judgement while carrying out an audit.

Answer 33

Clause: 4 Principles of auditing

a) Integrity: the foundation of professionalism

Question 34

Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.

Answer 34

Clause 4: Principle of auditing

b) Fair presentation: the obligation to report truthfully and accurately

Question 35

Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all audit situations.

Answer 35

Clause 4: Principle of auditing

c) Due professional care: the application of diligence and judgement in auditing

Question 36

Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information.

Answer 36

Clause 4: Principle of auditing

d) Confidentiality: security of information

Question 37

Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the function being audited if practicable. Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence.

Answer 37

Clause 4: Principle of auditing

e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions

Question 38

Audit evidence should be verifiable. It should in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.

Answer 38

Clause 4: Principle of auditing

f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process

Question 39

The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives.

Answer 39

Clause 4: Principle of auditing

g) Risk-based approach: an audit approach that considers risks and opportunities

Question 40

An audit programme should be established which can include audits addressing one or more management system standards or other requirements, conducted either separately or in combination (combined audit).

Answer 40

Clause 5 Managing an audit programme

5.1 General

Question 41

The extent of an audit programme should be based on the size and nature of the auditee, as well as on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management system(s) to be audited.

Answer 41

Clause 5 Managing an audit programme

5.1 General

Question 42

The functionality of the management system can be even more complex when most of the important functions are outsourced and managed under the leadership of other organizations. Particular attention needs to be paid to where the most important decisions are made and what constitutes the top management of the management system.

Answer 42

Clause 5 Managing an audit programme

5.1 General

Question 43

In the case of multiple locations/sites (e.g. different countries), or where important functions are outsourced and managed under the leadership of another organization, particular attention should be paid to the design, planning and validation of the audit programme.

Answer 43

Clause 5 Managing an audit programme

5.1 General

Question 44

The planning of internal audit programmes and, in some cases programmes for auditing external providers, can be arranged to contribute to other objectives of the organization.

Answer 44

Clause 5 Managing an audit programme

5.1 General

Question 45

In the case of smaller or less complex organizations the audit programme can be scaled appropriately.

In order to understand the context of the auditee, the audit programme should take into account the auditee’s:

Answer 45

— organizational objectives;
— relevant external and internal issues;
— the needs and expectations of relevant interested parties;
— information security and confidentiality requirements.

Question 46

The individual(s) managing the audit programme should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit.

Answer 46

Clause 5 Managing an audit programme

5.1 General

Question 47

Audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.

Answer 47

Clause 5 Managing an audit programme

5.1 General

Question 48

Competent individuals should be assigned to manage the audit programme.

Answer 48

Clause 5 Managing an audit programme

5.1 General

Question 49

The audit programme should include information and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames. The information should include:

Answer 49

a) objectives for the audit programme;

b) risks and opportunities associated with the audit programme (see 5.3) and the actions to address them;

c) scope (extent, boundaries, locations) of each audit within the audit programme;

d) schedule (number/duration/frequency) of the audits;

e) audit types, such as internal or external;

f) audit criteria;

g) audit methods to be employed;

h) criteria for selecting audit team members;

i) relevant documented information.

Some of this information may not be available until more detailed audit planning is complete.

Question 50

The implementation of the audit programme should be monitored and measured on an ongoing basis (see 5.6) to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify needs for changes and possible opportunities for improvements

Answer 50

Clause 5 Managing an audit programme

5.1 General