Audit Terminology

As auditors, we should understand the key terms that are part of the audit vocabulary. The definitions of selected audit terms from ISO 9000:2005 are shown below in italics. The other comments are mine.

An audit is a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

An audit is “systematic” because it is an orderly, planned, and methodical activity. It is “independent” because it is conducted by impartial and objective auditors that do not audit their own work.

An audit is a “documented” process because management system standards require a documented audit procedure. An audit gathers “evidence” as proof of conformity or nonconformity.

Audit evidence is evaluated “objectively” based on the facts, not hearsay or opinion. The evidence is compared to the “criteria”, the applicable requirements, to determine if the criteria is being met.

The audit criteria are the policies, procedures, or requirements used as a reference against which audit evidence is compared.

The audit evidence includes the records, statements of fact, or other information which are relevant to the audit criteria and verifiable.

In my auditing classes, I discuss the “scales of conformity”. On one scale are the applicable requirements for the area being audited. The other scale contains the different types of evidence. The auditor’s job is to compare the evidence to the requirements to determine if the audit criteria are being met or not.

To help the students remember the types of evidence and the different categories of requirements, I devised two acronyms: DOoRS and LOCkS.

DOoRS represents the forms of evidence:

D = Documents
O = Observations
R = Records
S = Statements

LOCkS represents the types of requirements:

L = Legal
O = Organization
C = Customer
S = Standard

These acronyms will help you consider all the applicable requirements and different forms of evidence when assessing processes for conformity.

Audit findings are the results of the evaluation of the collected audit evidence against audit criteria.

After comparing evidence to the applicable requirements, an auditor may find a process to be either conforming or nonconforming, or perhaps, an opportunity for improvement. Unfortunately, auditors often report nonconformities as “findings” when they should say “nonconformities”.

The audit conclusion is the outcome of an audit provided by the audit team after consideration of the audit objectives and all audit findings.

For internal audits, the “conclusion” may be the degree of conformity by functional areas or standard clauses, or by the types of nonconformity, e.g., failure of intent, implementation, or effectiveness.

For a third-party audit, the “conclusion” may be expressed as a recommendation for certification or not.

The audit client is the organization or person requesting an audit.

The auditee is the organization being audited.

The auditor is a person with the demonstrated personal attributes and competence to conduct an audit.

Audits are carried out on behalf of a client on an auditee by an auditor.

The audit program is a set of one or more audits planned for a specific timeframe and directed towards a specific purpose.

An audit program includes all the activities necessary for planning, organizing, and conducting audits. The program typically includes an annual schedule of audits.

The audit plan is the description of the activities and arrangements for an audit.

An audit plan typically includes the agenda for a specific audit within the overall audit program.

The audit scope is the extent and boundaries of an audit.

The audit scope generally includes the physical locations (where), the organizational units (who), the products, projects, or processes (what), and the time period (when).

Other few other audit terms not defined in ISO 9000:2005 are described below:

The audit sample is the random selection of people to interview, activities to observe, documents to review, and records to examine as a representation of the whole management system. Based on the uncertainty introduced by sampling, an audit report may include a disclaimer such as:

“This audit was based on random samples during a relatively brief period of time and every aspect of the management system was not necessarily covered. Therefore, nonconformities may exist which have not been identified in this report.”

Audit objectives define what is to be accomplished by the audit. Audit objectives typically include determining conformity, evaluating effectiveness, and identifying opportunities for improvement.

An audit report is a record of the objectives, scope, criteria, findings, and conclusions for an audit.

Audit follow-up verifies the completion and effectiveness of corrective actions taken as the result of nonconformities reported in an audit.

For the definitions of other management system terms, go to the Glossary section of our web site.