Audit Training

Module 2 - Audit Management

A PDCA Approach to Audit Management
■ Plan - Determine the audit programme :
– objectives, manager’s role, extent, risks, procedures and resources
■ Do - Implement the audit programme :
– Define individual audit objectives, scope and criteria and audit method
– Select the audit team and assign lead auditors
– Manage and maintain audit programme records
– Competence and evaluation of auditors
– Audit Activities
■ Check :
– Monitoring the audit programme
■ Act :
– Reviewing & improving audit programme
 Step 1
Establishing the Audit Programme
(clause 5.2)
Developing Audit Objectives (1)
Objectives must be set to give a direction for the planning and conduct of audits and to
ensure effective implementation of the audit programme, including:
– management priorities, commercial and/or business intentions
– management system(s) requirements
– legal and other requirements
– need for supplier evaluation
– needs and expectations of interested parties (including customers)
– auditee’s level of performance, as reflected in the occurrence of failures or
incidents or customer complaints
– risks to the organisation being audited
– results of previous audits
– level of maturity of the management system
Developing Audit Objectives (2)
Typical examples of audit programme objectives:

– “To contribute to the improvement of a management system and its

performance.”

– “To meet external requirements”, e.g. certification to a management system

standard.

– “To verify conformity with contractual requirements.”

– “To obtain and maintain confidence in the capability of a supplier.”

– “To evaluate compatibility and alignment of the management system objectives

with the management system policy and the overall business objectives.”
Audit Manager’s Responsibilities
The audit manager must:
– establish the extent of the audit programme
– evaluate the risks for the audit programme
– establish audit responsibilities and procedures
– ensure necessary resources are provided, including the evaluation of auditors
– ensure the implementation of the audit programme, such as defining audit objectives,
scope and criteria of the individual audits, determining audit methods and selecting the
audit team
– ensure that appropriate audit programme records are maintained
– monitor, review and improve the audit programme
Note: The person assigned the responsibility for managing an audit programme should inform
the top management on the contents of the audit programme and, where necessary, ask for its
approval.
Audit Manager Competence
The audit manager should be competent to manage the audit programme effectively
and efficiently and have competence in:
– audit principles, procedures, methods and techniques
– management system and reference documents
– applicable legal and other requirements relevant to the activities and/or
products of the organisation to be audited
– organisational products and processes
– customer(s), supplier(s) and other interested parties of the organisation to be
audited, where applicable
– risks associated with the audit programme
Audit Extent (1)
The audit manager should establish the extent of the audit programme, taking into account:
– the size and nature of the organisation to be audited
– the nature, functionality, complexity and level of maturity of the management
system to be audited
Other factors affecting the extent include:
– the scope, objective and duration of each audit, and, the frequency of audit
– the number, importance, similarity and locations of the activities to be audited
– those matters of significance to the effectiveness of the management system
– legal and other requirements, such as standards, contractual requirements, etc.
– the need to meet external requirements, say, for certification
Audit Extent (2)
Further factors affecting the extent include:
– conclusions of previous internal / external audits or results of previous audit
programme review
– language, cultural and social issues
– the concerns of interested parties such as customer complaints, regulatory
breaches, etc.
– significant changes to the organisation to be audited or its operations
– the extent and maturity of the information and communications technologies of the
auditee, which can impact the use of remote audit methods
– the occurrence of internal and external events such as product failure,
contamination, information security leak, health and safety incident, criminal acts or
environmental incident
Evaluating Audit Risks
The audit manager should consider the risks associated with establishing,
implementing, monitoring and reviewing an audit programme, including:
– planning, e.g. failure to set the objectives and extent of audit programme
– resources, e.g. allotting insufficient time to develop the audit programme
– selection of the audit team, e.g. the team does not have the collective
competence to conduct the audit effectively
– implementation, e.g. ineffective communication of the audit programme
– records, e.g. failure to adequately protect audit records to demonstrate audit
programme effectiveness
– monitoring, reviewing and improving the audit programme, e.g. ineffective
monitoring of audit programme outcomes
Establishing Audit Procedures
The audit manager should establish one or more audit procedures, addressing the
following:
– planning and scheduling audits considering audit programme risks
– managing information security, confidentiality, risks to the organisation from
auditing activities and other matters related to the audit programme
– assuring the competence of auditors and lead auditors
– selecting appropriate audit teams and assigning their roles and responsibilities
– conducting audits, including the use of appropriate sampling methods
– conducting audit follow-up, if applicable
– reporting to the audit client (e.g. top management) on the overall achievements
of the audit programme
– monitoring the performance, risks and effectiveness of the audit programme
– maintaining audit programme records
Identifying Audit Resources
When identifying resources for the audit programme, the audit manager should consider:

– the financial resources necessary to develop, implement, manage and improve

audit activities

– audit methods / techniques

– the availability of auditors and technical experts having competence appropriate

to the particular audit programme objectives

– the extent of the audit programme

– travelling time and cost, accommodation and other auditing needs

– the extent and maturity of the information and communication systems of the
organisation to be audited which may impact the use of remote audit methods
 Step 2
Implementing the Audit Programme
(clause 5.3)
General Considerations
The audit manager should implement the audit programme by:
– communicating the pertinent parts of the audit programme to relevant parties and
informing them periodically of its progress
– defining objectives, scope and criteria for each individual audit
– coordinating and scheduling audits and other activities relevant to the audit programme
– ensuring the selection of audit teams with the necessary competence
– providing necessary resources to the audit teams
– ensuring the conduct of audits in accordance with the audit programme and within the
agreed time frame
– ensuring that audit activities are recorded and records are properly managed and
maintained
Defining Audit Objectives, Scope and Criteria (1)
■ In order to develop the audit plan for each individual audit, it is necessary to identify and
document the specific audit objectives, scope, methods, criteria and procedures.

■ The audit objectives define what is to be accomplished by the audit and should be documented
in the audit plan. They may include the following:

– determination of the extent of conformity of a management system to be audited, or parts

of it, with audit criteria

– evaluation of the capability of a management system to ensure compliance with legal and
other requirements

– evaluation of the effectiveness of a management system in meeting its specified

objectives

– identification of areas for potential improvement of a management system

– treatment of confidential information including the extent of disclosure

Defining Audit Objectives, Scope and Criteria (2)
■ The audit manager should define the individual audit objectives, and these objectives
must be consistent with the overall audit programme objectives.

■ The audit scope should be consistent with the audit programme and audit objectives. It
includes such factors as physical locations, organisational units, activities and
processes to be audited, as well as the duration of the audit.

■ The audit criteria (derived from applicable policies, objectives, procedures, standards,
legal / management system / contractual requirements, industry / business sector codes
of conduct) should be used as a reference against which conformity is determined.

■ The audit scope and audit criteria should be defined jointly by audit manager and lead
auditor in accordance with audit programme procedures, and, changes (if any) should
be agreed to by the same parties and the audit programme should be modified
accordingly.
Determining Audit Method(s)

■ The audit manager should select and determine the audit methods for an audit
depending on the defined audit objectives, scope and criteria for effectively
conducting the audit.

■ If an organisation to be audited operates two or more management systems of

different disciplines (such as QMS and EMS), combined audits may be included in
the audit programme. In such a case, special attention should be paid to the
competence of the audit team.
Selecting the Audit Team (1)
■ The audit manager should appoint the members of the audit team, including the
team leader and any technical expert(s) needed for the specific audit.

■ An audit team should be selected, taking into account the competence needed to
achieve the objectives of the individual audit within the defined scope.

■ If there is only one auditor, the auditor should perform all applicable duties of an
lead auditor.

■ Note: Clause 7 of ISO19011:2011 standard contains guidance on determining the

competence required for the audit team members and describes processes for
evaluating auditors.
Selecting the Audit Team (2)
In deciding the size and composition of the audit team for the specific audit, consideration should
be given to the following:
– the overall competence of the audit team needed to achieve audit objectives, scope and
criteria
– type of audit (combined / joint) and the kind of audit methods selected
– legal and other requirements such as contractual requirements
– the need to ensure the independence of the audit team from the activities to be audited
and to avoid any conflict of interest
– the ability of audit team members to interact effectively with the auditee
– the language of the audit, and an understanding of the auditee’s particular social and
cultural characteristics
These issues may be addressed either by the auditor's own skills or through the support of a
technical expert.
Selecting the Audit Team (3)
To assure the overall competence of the audit team, the following steps should be
performed:

– identification of knowledge and skills needed to achieve the objectives of audit

– selection of the audit team members so that all of the necessary knowledge and
skills are present in the audit team

– if all the necessary competence is not covered by the auditors in the audit team,
technical experts with additional competence may be included in the teams

– technical experts should operate under the direction of an auditor but should not act
as auditors

– auditors-in-training may be included in the audit team, but should participate under
the direction and guidance of an auditor
Selecting the Audit Team (4)
■ Both the audit client and the auditee may request the replacement of particular
audit team members on reasonable grounds based on the principles of auditing.

■ Examples of reasonable grounds include lack of competency or previous unethical

behaviour, conflict of interest situations (such as in the case of second or third party
audits, an audit team member having been a former employee of the auditee or
having provided consultancy services to the auditee), etc.

■ Such grounds should be communicated to the lead auditor and to the audit
manager, who should discuss the issue with the audit client and auditee before
making any decisions or replacing audit team members.
Lead Auditor Responsibilities (1)
The audit manager should assign the responsibility for the conduct of the individual audit to a lead
auditor (the audit team leader).
■ The assignment should be made, and the following information provided, sufficiently in advance
to give sufficient time for effective audit planning:
– the audit objectives
– the audit criteria and any reference documents
– the audit methods and procedures
– the audit scope, including identification of the organisational and functional units and
processes to be audited
– the composition of the audit team
– the locations, dates, and duration of the audit activities to be conducted
– the allocation of appropriate resources to conduct the audit.
Lead Auditor Responsibilities (2)
The assignment information should also cover the following, as appropriate:

– the working and reporting language of the audit where this is different from the
language of the auditor and/or the auditee

– audit report contents requested by the audit programme

– matters related to confidentiality and information security, if required by the

audit programme

– any follow-up actions, for example, from a previous audit, if applicable

The audit manager should ensure that the information provided to the lead auditor
adequately addresses identified risks to the achievement of audit objectives.
Managing Audit Records
■ The audit manager should manage and maintain records to demonstrate the
implementation of the audit programme.
■ Processes should be established to ensure that any privacy or confidentiality needs
associated with the audit records are satisfied.
■ Records should include the following:
– records related to the audit programme such as audit programme objectives,
those addressing audit risks, reviews of the audit programme effectiveness
– records related to individual audit such as audit plans & reports, nonconformity
reports, corrective and preventive action reports, audit follow-up reports, etc.
– records related to audit personnel such as competence and performance
evaluation of the audit team members, audit team selection, maintenance and
improvement of competence
 Step 3
Audit Monitoring
(clause 5.4)
Audit Monitoring (1)
■ The audit manager should periodically monitor the audit implementation, including:
– reviewing and approving audit reports, and ensuring their distribution to top
management and other relevant parties
– considering the necessity of any follow-up audit
– evaluating the performance of the audit team members
– evaluating the ability of the audit teams to implement the audit plan
– evaluating conformity with audit programmes, schedules and objectives
– evaluating feedback from top management, auditees, auditors, and other
interested parties
Audit Monitoring (2)

Sometimes, for the following or other reasons, it may be necessary to modify the
audit programme before completion:

– initial audit findings

– demonstrated level of management system effectiveness

– changes to the client’s or the auditee’s management system

– change of legal requirements and/or standard

– change of supplier
Step 4 - Reviewing and Improving Audits
(clause 5.5)
The audit manager should review the audit programme to assess whether its objectives
have been met, including:
– results and trends from monitoring
– conformity with audit programme procedure(s)
– evolving needs and expectations of interested parties
– audit programme records, alternative or new auditing methods
– effectiveness of the measures taken to address audit risks
– confidentiality & information security issues relating to the audit programme
– continual professional development of auditors
Note 1 : The audit manager should review the overall implementation of the audit
programme, identify areas for improvement and amend the programme, and report the
results to the top management.
Note 2 : Lessons learned from the review should be used for continual improvement.