BSI HANDOUT - Assessing Generic Internal Auditing Requirements

The purpose of the following notes are to provide the meanings and intention of certification
criteria and associated theories, methodologies, techniques or tools.

y
These are the areas your Certification Body (CB) will be generally looking for to comply with

nl
generic internal auditing requirements in Management System Standards.

O
The questions below will generally be phrased as more open ended, but these are the areas
in general to be determined by a CB assessor. Your tutor will expand on these to explain the

es
meaning of certification criteria as thought necessary.

 Is there an internal audit programme(s)? (Yes)

os
(Objective evidence – Documented audit programme)

rp
 Does it cover the intended scope of the management system under assessment? (Yes)
Pu
(Objective evidence – The organization’s processes, comprising the scope of
certification, broken down into the audit programme)

 How are the audits scheduled (planned intervals) in the programme? (By consideration
ng

of the importance to the organization, intended outcomes of the MS and MSS,

objectives, processes/activities concerned, risks and opportunities, and the results of
previous audits.)
ni

(Objective evidence – Admissible statements (statements made by someone who has

ai

the responsibility to know and is accountable) regarding the importance of the

processes, their own assessment of risks and opportunities the organization has carried
Tr

out, and the results of their previous audit findings. Essentially, more depth (scope) of
the audits and experience of the auditors (instead of just on the number of audits) if the
process is more important or negative findings are encountered, and vice versa.
SI

Evidence that it is being used as a powerful business improvement tool not just a tick in
the box – management review minutes, actions arising from findings etc.)
rB

 Is the audit programme(s) implemented? (Yes)

(Objective evidence – Audits being conducted as per the schedule in the audit
Fo

programme)

 How does the organization maintain this programme(s)? (We review and adjust it
periodically to meet business needs (significant changes/activities in the organization)
rather than just meeting management system requirements/ certification requirements.)
(Objective evidence – Audit scheduling changing in the audit programme itself; as a
result of new audit findings, changing risks and opportunities, and other factors as per
the above e.g. availability of auditees, significant changes, or new/changing processes
etc.)

ISM03001ENGX v3.0 (AD01) Nov 2022 ©The British Standards Institution 2022 1 of 4
  

 Who has the responsibility for planning, establishing, implementing and maintaining
your audit programme(s)? (The Production Manager has…, etc.)
(Objective evidence – Responsibilities explained (or documented) covering the duties of
the person(s) managing the audit programme(s) and those involved with its planning,
establishing, implementing and maintaining.)

y
 What are the methods used for reporting the results of audits? (All audit results are sent

nl
to the relevant manager (dept etc.), within one week, and to top management within
one week, and our six months formal top management review, by the Production

O
Manager…etc.)
(Objective evidence – Information regarding where the results of the audits go, when

es
they are to be sent, who is to review them, actions arising etc.)

os
 Are the results of the audits reported to relevant management, and a summary/trends
in audit results provided to top management? (Yes)

rp
(Objective evidence – Meeting minutes, comments/actions received as an output from
management, continual improvement, results being received by the management that
have been determined to see them.)
Pu
 What is expected from those who receive the audit reports and/or results? (They review
the results and decide on actions needed and resources required to implement
ng

actions…etc.)
(Objective evidence - This question is to trigger the auditee to think about the
responsibilities and accountabilities of each individual who receives the audit reports/
ni

results and whether the expectations are clearly communicated and transparent.)
ai

 Is information provided on whether the management system conforms to the

Tr

organization’s own requirements for its management system? (Yes)

(Objective evidence – Audit reports conclusions, audit findings and actions including any
opportunities for improvement, documented information as evidence of the nature of
SI

nonconformities and any subsequent actions taken, verification of the effectiveness of

any improvement/corrective action, and management reviews documented results.)
rB

 Is information provided to confirm organizational objectives, requirements and

interested party(ies) requirements? (Yes)
Fo

(Objective evidence – As above)

 Is information provided on whether the management system conforms to the

requirements of the International Standard under assessment? (Yes)
(Objective evidence – As above)

ISM03001ENGX v3.0 (AD01) Nov 2022 ©The British Standards Institution 2022 2 of 4
  

 Is information provided on whether the management system is effectively implemented

and maintained? (Yes)
(Objective evidence – As above)

 What are the methods used to select auditors? (Auditors are selected first on their

y
independence of the process, and then competence to carry out the audit. Obviously

nl
their availability is also a factor and how many times they have audited that process.
Sometimes it’s better with a fresh pair of eyes.)

O
(Objective evidence – Auditor independence, evidence of auditor competence etc.)

es
 Has an audit objective(s), scope and criteria been defined for each audit? (Yes)
(Objective evidence – Documented audit objective(s), scope and criteria for each audit

os
conducted and planned.)

 Are auditors selected to ensure objectivity and the independence of the audit process?

rp
(Yes)
(Objective evidence – Auditors chosen for each audit that are independent of the
Pu
activity being audited, or as a minimum efforts to remove bias and encourage
objectivity where full independence is not possible – Small organizations.)
ng

 An audit by definition is a ‘documented process’. Has the organization a documented

process to systematically and independently obtain objective evidence and evaluate it
objectively to determine the extent to which the audit criteria are fulfilled? (Yes)
ni

(Objective evidence – A documented process to systematically and independently obtain

ai

objective evidence and evaluate it objectively to determine the extent to which the audit
criteria are fulfilled.)
Tr

 Is documented information retained as evidence of the implementation of the audit

programme and the audit results? (Yes)
SI

(Objective evidence – Audit programme detailing the current status of audits performed,
audits to be performed, and any outstanding actions pertaining to audit findings.)
rB

 What competence has the organization determined for the individuals assigned to
manage the audit programme? (They have passed the BSI Lead Auditor course and
Fo

carried out audits internally and externally at our suppliers…etc.)

(Objective evidence – Knowledge of audit principles, methods and processes,
management/other system standards, information regarding the auditee and their
context, business activities, processes of the auditee, applicable
statutory/regulatory/other requirements, appropriate knowledge of risk management,
project and process management and ICT. Retained appropriate documented
information as evidence of competence. Continual development activities to maintain
the necessary competence to manage the audit programme.)

ISM03001ENGX v3.0 (AD01) Nov 2022 ©The British Standards Institution 2022 3 of 4
  

 How did the organization determine the competence required for their auditors?
(Reviewed ISO 19011:2018 and use that as a basis for knowledge and skills, also spoke
to BSI for suitable training courses etc.)
(Objective evidence – The organization first considered 7.2.1 a) to c) to help decide the
competence required, and desired professional behaviours (necessary attributes) 7.2.2
a) to m). Generic knowledge and skills in 7.2.3.2 a) to d), and discipline/sector-specific

y
competence in 7.2.3.3 a) to d). Generic competence of the audit team leader in 7.2.3.4

nl
a) to g) and knowledge and skills for auditing multiple disciples (if applicable) in 7.2.3.5)

O
 Auditor might then assess the remaining requirements in 7.2 Competence.
(Objective evidence - Where applicable, the organization has taken actions to acquire

es
the necessary competence, and evaluated the effectiveness of the actions taken.)

os
rp
Pu
ng
ni
ai
Tr
SI
rB
Fo

ISM03001ENGX v3.0 (AD01) Nov 2022 ©The British Standards Institution 2022 4 of 4