I.S. EN ISO is the adopted Irish version of the European . STANDARD. ISO. Third edition. Reference number. ISO. First edition. Guidelines for quality and/or environmental Details of the software products used to create this PDF file can be found in. INTERNATIONAL ISO STANDARD Third edition Guidelines for auditing management systems Lignes directrices pour l'audit des systèmes de.
|Language:||English, Spanish, German|
|ePub File Size:||23.53 MB|
|PDF File Size:||13.45 MB|
|Distribution:||Free* [*Register to download]|
It supersedes BS EN ISO which is withdrawn. This document (EN ISO ) has been prepared by Technical Committee ISO/TC ". This document provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and. For an explanation on the voluntary nature of standards, the meaning of ISO This third edition cancels and replaces the second edition (ISO ).
Skip to main content. Log In Sign Up. Miguel Sanson. Guidelines for auditing management systems ISO Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission.
The planning of internal audit programmes and, in some cases programmes for auditing external providers, can be arranged to contribute to other objectives of the organization. The individual s managing the audit programme should ensure the integrity of the audit is maintained and that there is not undue influence exerted over the audit. Audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance.
Competent individuals should be assigned to manage the audit programme. The audit programme should include information and identify resources to enable the audits to be conducted effectively and efficiently within the specified time frames.
The information should include: Some of this information may not be available until more detailed audit planning is complete. The implementation of the audit programme should be monitored and measured on an ongoing basis see 5. The audit programme should be reviewed in order to identify needs for changes and possible opportunities for improvements see 5.
Figure 1 illustrates the process flow for the management of an audit programme. These objectives can be based on consideration of the following: KPIs , the occurrence of nonconformities or incidents or complaints from interested parties; f identified risks and opportunities to the auditee; g results of previous audits.
Examples of audit programme objectives can include the following: The individual s managing the audit programme should identify and present to the audit client the risks and opportunities considered when developing the audit programme and resource requirements, so that they can be addressed appropriately. There can be risks associated with the following: Opportunities for improving the audit programme can include: The individual s managing the audit programme should request its approval by the audit client.
As appropriate, knowledge of risk management, project and process management, and information and communications technology ICT may be considered. The individual s managing the audit programme should engage in appropriate continual development activities to maintain the necessary competence to manage the audit programme. This can vary depending on the information provided by the auditee regarding its context see 5.
NOTE In certain cases, depending on the auditee's structure or its activities, the audit programme might only consist of a single audit e.
Other factors impacting the extent of an audit programme can include the following: The individual s managing the audit programme should: These should be consistent with the overall audit programme objectives. The audit objectives define what is to be accomplished by the individual audit and may include the following: The audit scope should be consistent with the audit programme and audit objectives.
It includes such factors as locations, functions, activities and processes to be audited, as well as the time period covered by the audit.
The audit criteria are used as a reference against which conformity is determined. These may include one or more of the following: In the event of any changes to the audit objectives, scope or criteria, the audit programme should be modified if necessary and communicated to interested parties, for approval if appropriate.
When more than one discipline is being audited at the same time it is important that the audit objectives, scope and criteria are consistent with the relevant audit programmes for each discipline. Some disciplines can have a scope that reflects the whole organization and others can have a scope that reflects a subset of the whole organization. Audits can be performed on-site, remotely or as a combination.
The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities. Where two or more auditing organizations conduct a joint audit of the same auditee, the individuals managing the different audit programmes should agree on the audit methods and consider implications for resourcing and planning the audit.
If an auditee operates two or more management systems of different disciplines, combined audits may be included in the audit programme. An audit team should be selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope. If there is only one auditor, the auditor should perform all applicable duties of an audit team leader. NOTE Clause 7 contains guidance on determining the competence required for the audit team members and describes the processes for evaluating auditors.
To assure the overall competence of the audit team, the following steps should be performed: In deciding the size and composition of the audit team for the specific audit, consideration should be given to the following: These issues may be addressed either by the auditor's own skills or through the support of a technical expert, also considering the need for interpreters; h type and complexity of the processes to be audited.
Where appropriate, the individual s managing the audit programme should consult the team leader on the composition of the audit team. If the necessary competence is not covered by the auditors in the audit team, technical experts with additional competence should be made available to support the team. Auditors-in-training may be included in the audit team, but should participate under the direction and guidance of an auditor. If such a situation arises, it should be resolved with the appropriate parties e.
The assignment should be made in sufficient time before the scheduled date of the audit, in order to ensure the effective planning of the audit.
To ensure effective conduct of the individual audits, the following information should be provided to the audit team leader: The assignment information should also cover the following, as appropriate: Where a joint audit is conducted, it is important to reach agreement among the organizations conducting the audits, before the audit commences, on the specific responsibilities of each party, particularly with regard to the authority of the team leader appointed for the audit.
The individual managing the audit programme should consider, where appropriate: Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed. Records can include the following: The form and level of detail of the records should demonstrate that the objectives of the audit programme have been achieved. Some factors can indicate the need to modify the audit programme.
These can include changes to: Lessons learned from the audit programme review should be used as inputs for the improvement of the programme. The individual s managing the audit programme should ensure the following: The audit programme review should consider the following: Figure 2 provides an overview of the activities performed in a typical audit. The extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit.
To initiate an audit, the steps in Figure 1 should be considered; however, the sequence can differ depending on the auditee, processes and specific circumstances of the audit. The determination of feasibility should take into consideration factors such as the availability of the following: NOTE Resources include access to adequate and appropriate information and communication technology. Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the auditee.
The documented information should include, but not be limited to: It should also take into account the audit scope, criteria and objectives. Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives effectively. The amount of detail provided in the audit plan should reflect the scope and complexity of the audit, as well as the risk of not achieving the audit objectives. In planning the audit, the audit team leader should consider the following: For combined audits, particular attention should be given to the interactions between operational processes and any competing objectives and priorities of the different management systems.
Audit planning should be sufficiently flexible to permit changes which can become necessary as the audit activities progress. Audit planning should address or reference the following: Audit planning should take into account, as appropriate: Any issues with the audit plans should be resolved between the audit team leader, the auditee and, if necessary, the individual s managing the audit programme.
Such assignments should take into account the impartiality and objectivity and competence of auditors and the effective use of resources, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts.
Audit team meetings should be held, as appropriate, by the audit team leader in order to allocate work assignments and decide possible changes. Changes to the work assignments can be made as the audit progresses in order to ensure the achievement of the audit objectives. The documented information for the audit can include but is not limited to: The use of these media should not restrict the extent of audit activities, which can change as a result of information collected during the audit.
Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as specified in the audit programme. Retention of documented information after audit completion is described in 6. Documented information created during the audit process involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members. This sequence may be varied to suit the circumstances of specific audits.
They should not influence or interfere with the conduct of the audit. If this cannot be assured, the audit team leader should have the right to deny observers from being present during certain audit activities. For observers, any arrangements for access, health and safety, environmental, security and confidentiality should be managed between the audit client and the auditee. Their responsibilities should include the following: During the meeting, an opportunity to ask questions should be provided.
The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many instances, e. For other audit situations, the meeting may be formal and records of attendance should be retained. The meeting should be chaired by the audit team leader. Introduction of the following should be considered, as appropriate: Confirmation of the following items should be considered, as appropriate: The presentation of information on the following items should be considered, as appropriate: The audit team should confer periodically to exchange information, assess audit progress and reassign work between the audit team members, as needed.
During the audit, the audit team leader should periodically communicate the progress, any significant findings and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the auditee and, as appropriate, to the audit client.
Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the audit client and auditee.
Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader should report the reasons to the audit client and the auditee to determine appropriate action. Such action may include changes to audit planning, the audit objectives or audit scope, or termination of the audit.
Any need for changes to the audit plan which may become apparent as auditing activities progress should be reviewed and accepted, as appropriate, by both the individual s managing the audit programme and the audit client, and presented to the auditee. The location is where the information needed for the specific audit activity is available to the audit team. This may include physical and virtual locations. Where, when and how to access audit information is crucial to the audit.
Based on these issues, the audit methods need to be determined see Table A.
The audit can use a mixture of methods. Also, audit circumstances may mean that the methods need to change during the audit. If adequate documented information cannot be provided within the time frame given in the audit plan, the audit team leader should inform both the individual s managing the audit programme and the auditee. Depending on the audit objectives and scope, a decision should be made as to whether the audit should be continued or suspended until documented information concerns are resolved.
Only information that can be subject to some degree of verification should be accepted as audit evidence.
Where the degree of verification is low the auditor should use their professional judgement to determine the degree of reliance that can be placed on it as evidence. Audit evidence leading to audit findings should be recorded. If, during the collection of objective evidence, the audit team becomes aware of any new or changed circumstances, or risks or opportunities, these should be addressed by the team accordingly.
Figure 2 provides an overview of a typical process, from collecting information to reaching audit conclusions. Figure 2 — Overview of a typical process of collecting and verifying information Methods of collecting information include, but are not limited to the following: Audit findings can indicate conformity or nonconformity with audit criteria.
When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee. Nonconformities and their supporting audit evidence should be recorded.
Nonconformities can be graded depending on the context of the organization and its risks. This grading can be quantitative e. They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is accurate and that the nonconformities are understood.
Every attempt should be made to resolve any diverging opinions concerning the audit evidence or findings. Unresolved issues should be recorded in the audit report. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. NOTE 2 Conformity or nonconformity with audit criteria related to statutory or regulatory requirements or other requirements, is sometimes referred to as compliance or non-compliance.
The closing meeting should be chaired by the audit team leader and attended by the management of the auditee and include, as applicable: If applicable, the audit team leader should advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions. If defined in the management system or by agreement with the audit client, the participants should agree on the time frame for an action plan to address audit findings.
The familiarity of the auditee with the audit process should also be taken into consideration during the closing meeting, to ensure the correct level of detail is provided to participants. For some audit situations, the meeting can be formal and minutes, including records of attendance, should be kept.
In other instances, e. As appropriate, the following should be explained to the auditee in the closing meeting: Any diverging opinions regarding the audit findings or conclusions between the audit team and the auditee should be discussed and, if possible, resolved. If not resolved, this should be recorded. If specified by the audit objectives, opportunities for improvement recommendations may be presented.
It should be emphasized that recommendations are not binding. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include or refer to the following: The audit report can also include or refer to the following, as appropriate: If it is delayed, the reasons should be communicated to the auditee and the individual s managing the audit programme.
The audit report should be dated, reviewed and accepted, as appropriate, in accordance with the audit programme.
When distributing the audit report, appropriate measures to ensure confidentiality should be considered. Documented information pertaining to the audit should be retained or disposed of by agreement between the participating parties and in accordance with audit programme and applicable requirements. Unless required by law, the audit team and the individual s managing the audit programme should not disclose any information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate, the approval of the auditee.
If disclosure of the contents of an audit document is required, the audit client and auditee should be informed as soon as possible. Lessons learned from the audit can identify risks and opportunities for the audit programme and the auditee. Such actions are usually decided and undertaken by the auditee within an agreed timeframe. The completion and effectiveness of these actions should be verified. This verification may be part of a subsequent audit. Outcomes should be reported to the individual managing the audit programme and reported to the audit client for management review.
Competence should be evaluated regularly through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience. This process should take into consideration the needs of the audit programme and its objectives. Some of the knowledge and skills described in 7. It is not necessary for each auditor in the audit team to have the same competence.
However, the overall competence of the audit team needs to be sufficient to achieve the audit objectives. The evaluation of auditor competence should be planned, implemented and documented to provide an outcome that is objective, consistent, fair and reliable. The evaluation process should include four main steps, as follows: The outcome of the evaluation process should provide a basis for the following: Auditors should develop, maintain and improve their competence through continual professional development and regular participation in audits see 7.
A process for evaluating auditors and audit team leaders is described in 7. Auditors and audit team leaders should be evaluated against the criteria set out in 7. The competence required of the individual s managing the audit programme is described in 5.
This information should be matched against that listed in 7. Auditors should exhibit professional behaviour during the performance of audit activities. Desired professional behaviours include being: Audit team leaders should have the additional knowledge and skills necessary to provide leadership to the audit team. An auditor should be able to: NOTE Awareness of statutory and regulatory requirements does not imply legal expertise and a management system audit should not be treated as a legal compliance audit.
The discipline and sector-specific competence of auditors include the following: Audit team leaders should understand the requirements of each of the management system standards being audited and recognize the limits of their competence in each of the disciplines. NOTE Audits of multiple disciplines done simultaneously can be done as a combined audit or as an audit of an integrated management system that covers multiple disciplines.
NOTE Successful completion of a training course will depend on the type of course. For courses with an examination component it can mean successfully passing the examination. Proof sent to secretariat or FDIS ballot initiated: You may be interested in: By Clare Naden on 3 July Auditing standard for management system standards now updated Management systems help organizations achieve their objectives, and auditing them makes good business sense.
The International Standard for auditing management systems has just been updated, giving more guidance than ever before. By Clare Naden on 5 January Got a question? Customer care. Opening hours: Monday to Friday - English French. English French Spanish.