ISO 19011 Flashcards
ISO 19011 Clauses
- Principles of auditing
- Managing an audit programme
- Conducting an audit
- Competence and Evaluation of auditors
Clause 5: Managing an audit programme
5.2 Establishing audit programme objectives
5.3 Determining and evaluating audit programme risks and opportunities
5.4 Establishing the audit programme
5.5 Implementing audit programme
5.6 Monitoring audit programme
5.7 Reviewing and improving audit programme
Clause 6: Conducting an audit
6.2 Initiating audit
6.3 Preparing audit activities
6.4 Conducting audit activities
6.5 Preparing and distributing audit report
6.6 Completing audit
6.7 Conducting audit follow-up.
Clause 7: Competence and evaluation of auditors
7.2 Determining auditor competence
7.3 Establishing auditor evaluation criteria
7.4 Selecting appropriate auditor evaluation method
7.5 Conducting auditor evaluation
7.6 Maintaining and improving auditor competence
systematic, independent and documented process for obtaining objective evidence (3.8) and evaluating it objectively to determine the extent to which the audit criteria (3.7) are fulfilled
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organization itself.
Note 2 to entry: External audits include those generally called second and third party audits. Second party audits are conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf. Third party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity or governmental agencies.
[SOURCE: ISO 9000:2015, 3.13.1, modified — Notes to entry have been modified]
audit
audit (3.1) carried out together at a single auditee (3.13) on two or more management systems (3.18) Note 1 to entry: When two or more discipline-specific management systems are integrated into a single management system this is known as an integrated management system.
combined audit
audit (3.1) carried out at a single auditee (3.13) by two or more auditing organizations
joint audit
arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a specific purpose
audit programme
extent and boundaries of an audit (3.1) Note 1 to entry: The audit scope generally includes a description of the physical and virtual-locations, functions, organizational units, activities and processes, as well as the time period covered. Note 2 to entry: A virtual location is where an organization performs work or provides a service using an on-line environment allowing individuals irrespective of physical locations to execute processes.
SOURCE: ISO 9000:2015, 3.13.5, modified — Note 1 to entry has been modified, Note 2 to entry has been added]
audit scope
description of the activities and arrangements for an audit
audit plan
set of requirements (3.23) used as a reference against which objective evidence (3.8) is compared Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance” or “non-compliance” are often used in an audit finding (3.10). Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual obligations, etc. [SOURCE: ISO 9000:2015, 3.13.7, modified — the definition has been changed and Notes to entry 1 and 2 have been added]
audit criteria
data supporting the existence or verity of something Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means. Note 2 to entry: Objective evidence for the purpose of the audit (3.1) generally consists of records, statements of fact, or other information which are relevant to the audit criteria (3.7) and verifiable.
objective evidence
records, statements of fact or other information, which are relevant to the audit criteria (3.7) and verifiable
audit evidence
results of the evaluation of the collected audit evidence (3.9) against audit criteria (3.7) Note 1 to entry: Audit findings indicate conformity (3.20) or nonconformity (3.21). Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good practices. Note 3 to entry: In English if the audit criteria are selected from statutory requirements or regulatory requirements, the audit finding is termed compliance or non-compliance.
audit findings
outcome of an audit (3.1), after consideration of the audit objectives and all audit findings
audit conclusion
organization or person requesting an audit (3.1) Note 1 to entry: In the case of internal audit, the audit client can also be the auditee (3.13) or the individual(s) managing the audit programme. Requests for external audit can come from sources such as regulators, contracting parties or potential or existing clients.
audit client
organization as a whole or parts thereof being audited
auditee
one or more persons conducting an audit (3.1), supported if needed by technical experts (3.16) Note 1 to entry: One auditor (3.15) of the audit team (3.14) is appointed as the audit team leader. Note 2 to entry: The audit team can include auditors-in-training.
audit team
person who conducts an audit
auditor
person who provides specific knowledge or expertise to the audit team (3.14) Note 1 to entry: Specific knowledge or expertise relates to the organization, the activity, process, product, service, discipline to be audited, or language or culture. Note 2 to entry: A technical expert to the audit team (3.14) does not act as an auditor (3.15).
technical expert
individual who accompanies the audit team (3.14) but does not act as an auditor
observer
set of interrelated or interacting elements of an organization to establish policies and objectives, and processes (3.24) to achieve those objectives Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management, financial management or environmental management. Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives. Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.
management system
effect of uncertainty Note 1 to entry: An effect is a deviation from the expected – positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence and likelihood. Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
risk
fulfilment of a requirement
conformity
non-fulfilment of a requirement
nonconformity
ability to apply knowledge and skills to achieve intended results
competence
need or expectation that is stated, generally implied or obligatory Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied. Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
requirement
set of interrelated or interacting activities that use inputs to deliver an intended result
process
measurable result Note 1 to entry: Performance can relate either to quantitative or qualitative findings. Note 2 to entry: Performance can relate to the management of activities, processes (3.24), products, services, systems or organizations.
performance
extent to which planned activities are realized and planned results achieved
effectiveness
Clause 4: Principles of auditing (seven principles outline)
a) Integrity: the foundation of professionalism
b) Fair presentation: the obligation to report truthfully and accurately
c) Due professional care: the application of diligence and judgement in auditing
d) Confidentiality: security of information
e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process
g) Risk-based approach: an audit approach that considers risks and opportunities
Auditing is characterized by reliance on a number of principles. These principles should help to make the audit an effective and reliable tool in support of management policies and controls, by providing information on which an organization can act in order to improve its performance. Adherence to these principles is a prerequisite for providing audit conclusions that are relevant and sufficient, and for enabling auditors, working independently from one another, to reach similar conclusions in similar circumstances.
Principles of auditing
Auditors and the individual(s) managing an audit programme should:
— perform their work ethically, with honesty and responsibility;
— only undertake audit activities if competent to do so;
— perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;
— be sensitive to any influences that may be exerted on their judgement while carrying out an audit.
Clause: 4 Principles of auditing
a) Integrity: the foundation of professionalism
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the audit activities. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.
Clause 4: Principle of auditing
b) Fair presentation: the obligation to report truthfully and accurately
Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgements in all audit situations.
Clause 4: Principle of auditing
c) Due professional care: the application of diligence and judgement in auditing
Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information.
Clause 4: Principle of auditing
d) Confidentiality: security of information
Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the function being audited if practicable. Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence.
Clause 4: Principle of auditing
e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
Audit evidence should be verifiable. It should in general be based on samples of the information available, since an audit is conducted during a finite period of time and with finite resources. An appropriate use of sampling should be applied, since this is closely related to the confidence that can be placed in the audit conclusions.
Clause 4: Principle of auditing
f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process
The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives.
Clause 4: Principle of auditing
g) Risk-based approach: an audit approach that considers risks and opportunities
An audit programme should be established which can include audits addressing one or more management system standards or other requirements, conducted either separately or in combination (combined audit).
Clause 5 Managing an audit programme
5.1 General
The extent of an audit programme should be based on the size and nature of the auditee, as well as on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management system(s) to be audited.
Clause 5 Managing an audit programme
5.1 General
The functionality of the management system can be even more complex when most of the important functions are outsourced and managed under the leadership of other organizations. Particular attention needs to be paid to where the most important decisions are made and what constitutes the top management of the management system.
Clause 5 Managing an audit programme
5.1 General
In the case of multiple locations/sites (e.g. different countries), or where important functions are outsourced and managed under the leadership of another organization, particular attention should be paid to the design, planning and validation of the audit programme.
Clause 5 Managing an audit programme
5.1 General
The planning of internal audit programmes and, in some cases programmes for auditing external providers, can be arranged to contribute to other objectives of the organization.
Clause 5 Managing an audit programme
5.1 General
In the case of smaller or less complex organizations the audit programme can be scaled appropriately.
In order to understand the context of the auditee, the audit programme should take into account the auditee’s:
— organizational objectives;
— relevant external and internal issues;
— the needs and expectations of relevant interested parties;
— information security and confidentiality requirements.
The individual(s) managing the audit programme should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit.
Clause 5 Managing an audit programme
5.1 General
Audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.
Clause 5 Managing an audit programme
5.1 General
Competent individuals should be assigned to manage the audit programme.
Clause 5 Managing an audit programme
5.1 General
The audit programme should include information and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames. The information should include:
a) objectives for the audit programme;
b) risks and opportunities associated with the audit programme (see 5.3) and the actions to address them;
c) scope (extent, boundaries, locations) of each audit within the audit programme;
d) schedule (number/duration/frequency) of the audits;
e) audit types, such as internal or external;
f) audit criteria;
g) audit methods to be employed;
h) criteria for selecting audit team members;
i) relevant documented information.
Some of this information may not be available until more detailed audit planning is complete.
The implementation of the audit programme should be monitored and measured on an ongoing basis (see 5.6) to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify needs for changes and possible opportunities for improvements
Clause 5 Managing an audit programme
5.1 General
