Professional Documents
Culture Documents
– the extent and maturity of the information and communication systems of the
organisation to be audited which may impact the use of remote audit methods
Step 2
Implementing the Audit Programme
(clause 5.3)
General Considerations
The audit manager should implement the audit programme by:
– communicating the pertinent parts of the audit programme to relevant parties and
informing them periodically of its progress
– defining objectives, scope and criteria for each individual audit
– coordinating and scheduling audits and other activities relevant to the audit programme
– ensuring the selection of audit teams with the necessary competence
– providing necessary resources to the audit teams
– ensuring the conduct of audits in accordance with the audit programme and within the
agreed time frame
– ensuring that audit activities are recorded and records are properly managed and
maintained
Defining Audit Objectives, Scope and Criteria (1)
■ In order to develop the audit plan for each individual audit, it is necessary to identify and
document the specific audit objectives, scope, methods, criteria and procedures.
■ The audit objectives define what is to be accomplished by the audit and should be documented
in the audit plan. They may include the following:
– evaluation of the capability of a management system to ensure compliance with legal and
other requirements
■ The audit scope should be consistent with the audit programme and audit objectives. It
includes such factors as physical locations, organisational units, activities and
processes to be audited, as well as the duration of the audit.
■ The audit criteria (derived from applicable policies, objectives, procedures, standards,
legal / management system / contractual requirements, industry / business sector codes
of conduct) should be used as a reference against which conformity is determined.
■ The audit scope and audit criteria should be defined jointly by audit manager and lead
auditor in accordance with audit programme procedures, and, changes (if any) should
be agreed to by the same parties and the audit programme should be modified
accordingly.
Determining Audit Method(s)
■ The audit manager should select and determine the audit methods for an audit
depending on the defined audit objectives, scope and criteria for effectively
conducting the audit.
■ An audit team should be selected, taking into account the competence needed to
achieve the objectives of the individual audit within the defined scope.
■ If there is only one auditor, the auditor should perform all applicable duties of an
lead auditor.
– selection of the audit team members so that all of the necessary knowledge and
skills are present in the audit team
– if all the necessary competence is not covered by the auditors in the audit team,
technical experts with additional competence may be included in the teams
– technical experts should operate under the direction of an auditor but should not act
as auditors
– auditors-in-training may be included in the audit team, but should participate under
the direction and guidance of an auditor
Selecting the Audit Team (4)
■ Both the audit client and the auditee may request the replacement of particular
audit team members on reasonable grounds based on the principles of auditing.
■ Such grounds should be communicated to the lead auditor and to the audit
manager, who should discuss the issue with the audit client and auditee before
making any decisions or replacing audit team members.
Lead Auditor Responsibilities (1)
The audit manager should assign the responsibility for the conduct of the individual audit to a lead
auditor (the audit team leader).
■ The assignment should be made, and the following information provided, sufficiently in advance
to give sufficient time for effective audit planning:
– the audit objectives
– the audit criteria and any reference documents
– the audit methods and procedures
– the audit scope, including identification of the organisational and functional units and
processes to be audited
– the composition of the audit team
– the locations, dates, and duration of the audit activities to be conducted
– the allocation of appropriate resources to conduct the audit.
Lead Auditor Responsibilities (2)
The assignment information should also cover the following, as appropriate:
– the working and reporting language of the audit where this is different from the
language of the auditor and/or the auditee
The audit manager should ensure that the information provided to the lead auditor
adequately addresses identified risks to the achievement of audit objectives.
Managing Audit Records
■ The audit manager should manage and maintain records to demonstrate the
implementation of the audit programme.
■ Processes should be established to ensure that any privacy or confidentiality needs
associated with the audit records are satisfied.
■ Records should include the following:
– records related to the audit programme such as audit programme objectives,
those addressing audit risks, reviews of the audit programme effectiveness
– records related to individual audit such as audit plans & reports, nonconformity
reports, corrective and preventive action reports, audit follow-up reports, etc.
– records related to audit personnel such as competence and performance
evaluation of the audit team members, audit team selection, maintenance and
improvement of competence
Step 3
Audit Monitoring
(clause 5.4)
Audit Monitoring (1)
■ The audit manager should periodically monitor the audit implementation, including:
– reviewing and approving audit reports, and ensuring their distribution to top
management and other relevant parties
– considering the necessity of any follow-up audit
– evaluating the performance of the audit team members
– evaluating the ability of the audit teams to implement the audit plan
– evaluating conformity with audit programmes, schedules and objectives
– evaluating feedback from top management, auditees, auditors, and other
interested parties
Audit Monitoring (2)
Sometimes, for the following or other reasons, it may be necessary to modify the
audit programme before completion:
– change of supplier
Step 4 - Reviewing and Improving Audits
(clause 5.5)
The audit manager should review the audit programme to assess whether its objectives
have been met, including:
– results and trends from monitoring
– conformity with audit programme procedure(s)
– evolving needs and expectations of interested parties
– audit programme records, alternative or new auditing methods
– effectiveness of the measures taken to address audit risks
– confidentiality & information security issues relating to the audit programme
– continual professional development of auditors
Note 1 : The audit manager should review the overall implementation of the audit
programme, identify areas for improvement and amend the programme, and report the
results to the top management.
Note 2 : Lessons learned from the review should be used for continual improvement.