Audit Program Risks

According to ISO 19011:2018, Guidelines for auditing management systems, a main difference compared to ISO 19011:2011, is the expansion of the guidance on managing an audit program, including audit program risk.

An “audit program” is defined in clause 3.4 as the arrangements for a set of one or more audits planned for a specific timeframe and directed towards a specific purpose.

According to clause 5.1, the extent of an audit program should be based on the size and nature of the auditee, as well as, on the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the management systems to be audited.

The guidance also states that audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.

Program Objectives

Audit program objectives should be consistent with the audit client’s strategic direction and support management system policy and objectives. Clause 5.2 identifies multiple factors for setting audit program objectives, including any identified risks and opportunities to the auditee.

Program Risks

There are risks and opportunities related to the context of the auditee that can be associated with an audit program and can affect the achievement of its objectives. The audit program manager should identify and present to the audit client the risks and opportunities considered when developing the audit program and resource requirements, so that they can be addressed appropriately.

According to clause 5.3, there can be risks associated with the following:

1. Planning, e.g., failure to set relevant audit objectives and determine the extent, number, duration, locations and schedule of the audits;
2. Resources, e.g., allowing insufficient time, equipment and/or training for developing the audit program or conducting an audit;
3. Selection of the audit team, e.g., insufficient overall competence to conduct audits effectively;
4. Communication, e.g., ineffective external/internal communication processes/channels;
5. Implementation, e.g., ineffective coordination of the audits within the audit program, or not considering information security and confidentiality;
6. Control of documented information, e.g., ineffective determination of the necessary documented information required by auditors and relevant interested parties, failure to adequately protect audit records to demonstrate audit program effectiveness;
7. Monitoring, reviewing and improving the audit program, e.g., ineffective monitoring of audit program outcomes;
8. Availability and cooperation of auditee and availability of evidence to be sampled.

Program Manager

Clause 5.4.1 provides a list of the roles and responsibilities of the audit program manager. One of the responsibilities is to determine the external and internal issues, and risks and opportunities that can affect the audit program, and implement actions to address them, integrating these actions in all relevant auditing activities, as appropriate.

According to clause 5.4.2, the audit program manager should have the necessary competence to manage the program and its associated risks and opportunities, and external and internal issues, effectively and efficiently.

The competence of the audit program manager should include knowledge of:

1. Audit principles, methods, and processes;
2. Management system standards, other relevant standards, and reference documents;
3. Information regarding the auditee and its context;
4. Legal requirements relevant to the business activities of the auditee.

As appropriate, knowledge of risk management, project and process management, and information and communications technology may be considered.

Clause 5.4.3 identifies multiple factors to be considered by the audit program manager when the extent of the audit program is being established, including:

  • Significant changes to the auditee’s context or operations, and related risks and opportunities;
  • Occurrence of internal and external events, such as nonconformities of products or service, information security leaks, health and safety incidents, criminal acts, or environmental incidents;
  • Business risks and opportunities, including actions to address them.

Program Resources

When determining resources for the audit program, the audit program manager should consider the factors listed in clause 5.4.4, including the extent of the audit program and its risks and opportunities.

Program Implementation

Once the audit program has been established, and related resources have been determined, it is necessary to implement the operational planning and the coordination of all the activities
within the program.

According to clause 5.5, the audit program manager should communicate the relevant parts of the audit program, including the risks and opportunities involved, to relevant interested parties and inform them periodically of its progress, using established external and internal communication channels.

The audit program manager should also ensure the conduct of audits in accordance with the audit program, managing all operational risks, opportunities, and issues (i.e., unexpected events), as they arise during the deployment of the program.

Individual Audits

Clause 5.5.2 states that the objectives for an individual audit are to define what is to be accomplished by the audit and may include:

1. Determining the extent of conformity of the management system to be audited, or parts of it, with the audit criteria;
2. Evaluating the capability of the management system to assist the organization in meeting relevant legal requirements and other requirements to which the organization is committed;
3. Evaluating the effectiveness of the management system in meeting its intended results;
4. Identifying opportunities for potential improvement of the management system;
5. Evaluating the suitability and adequacy of the management system with respect to the context and strategic direction of the auditee;
6. Evaluating the capability of the management system to establish and achieve objectives and effectively address risks and opportunities, in a changing context, including the implementation of the related actions.

The scope of an individual audit should be consistent with the audit program and audit objectives. It includes such factors as locations, functions, activities. and processes to be audited, as well as, the time-period covered by the audit.

The audit criteria are used as a reference against which conformity is determined. These may include one or more of the following: applicable policies, processes, procedures, performance criteria (including objectives), legal requirements, management system requirements, information regarding the context, and the risks and opportunities as determined by the auditee, sector codes of conduct, or other planned arrangements.

Audit Methods

Clause 5.5.3 states that the audit program manager should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope, and criteria.

Audits can be performed on-site, remotely, or as a combination. The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities.

According to Annex A.1, the feasibility of remote audit activities can depend on several factors, e.g., the level of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel, and regulatory requirements.

Sampling

The risk associated with sampling is that the samples may not be representative of the population from which they are selected. Therefore, the auditor’s conclusion may be biased and different from that which would be reached if the entire population was examined. There may be other risks depending on the variability within the population to be sampled and the method chosen.

Lead Auditor

To ensure the effective conduct of an individual audit, clause 5.5.5 lists information that should be provided to the audit team leader, including the information needed for evaluating and addressing identified risks and opportunities to the achievement of the audit objectives.

Audit Records

The audit program manager should ensure that audit records are generated, managed, and maintained to demonstrate the implementation of the audit program. Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed.

Clause 5.5.7 lists examples of audit records, including those addressing audit program risks and opportunities, and relevant external and internal issues.

Program Improvements

The audit program manager and the audit client should review the audit program to assess whether its objectives have been achieved. Lessons learned from the audit program review should be used as inputs for the improvement of the program.

Clause 5.7 states that the audit program review should consider multiple topics, including the effectiveness of the actions to address the risks and opportunities, and internal and external issues associated with the audit program.

Auditor Training

Our onsite “Internal Auditor” courses have been updated for the revised guidance in ISO 19011:2018. Please see our website to view our Internal Auditor course descriptions for the ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, AS9100:2016, AS9110:2016, AS9120:2016, ISO 13485:2016, and ISO 27001:2013 management system standards.