Auditor Training
Module 1 – Audit Concepts
and Definitions
What is auditing ?
■ Most of us are familiar with the term ‘audit’
■ Typically, ‘audit’ is considered to be associated with financial matters such as
accounting, costing, taxation, etc.
■ As a result, the very mention of the word ‘audit’ evokes fear, not comfort
■ However, management system audits are totally different in nature, whether on
quality management system ISO9001or other management systems such as
ISO14001 or OHSAS18001
■ The International organisation for Standardisation (ISO) has even published a
standard (ISO19011:2011) to provide guidance on how to conduct management
system audits
Audit and Audit Scope
■ “Audit” is a systematic, independent and documented
process for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit
criteria are fulfilled.
■ “Audit Scope” may include the examination of System
Adequacy and / or Compliance, and identification of
Improvement Opportunities.
Four Types of Audit
■ Internal Audit
■ External Audit
■ Combined Audit
■ Joint Audit
Internal Audit
■ Also known as a “First party Audit”.
■ Is conducted by, or on behalf of, the organisation itself for management review
and other internal purposes (e.g. to confirm the intended operation of the
management system or to obtain information for improvement of the
management system), and may form the basis for an organisation’s selfdeclaration of conformity.
■ In many cases, particularly in smaller organisations, independence can be
demonstrated by the freedom from responsibility for the activity being audited or
freedom from bias and conflict of interest.
External Audit
■ Also known as a “Second” or “Third” Party Audit.
■ Second party audits are conducted by parties having an interest in the
organisation, such as customers, or by other persons on their behalf.
■ Third party audits are conducted by independent auditing organisations, such as
regulators or those providing registration or certification.
Combined Audit
■ When two or more management systems of different disciplines (e.g. quality,
environmental, occupational health and safety) are audited together, this is termed
a combined audit.
Joint Audit
■ When two or more auditing organisations cooperate to audit a single auditee, this
is termed a joint audit.
Management System Audits
■ Management system audits are an effective support tool for management,
checking the implementation status of policies and procedures, and providing
information that can help improve process performance.
■ In order to ensure that the audit conclusions are relevant, and different auditors
arrive at similar conclusions in similar circumstances, the ISO Auditing Standard
has spelt out some pre-requisites/guidelines for auditors and the audit process
itself.
■ Auditing is characterised by reliance on a number of principles known as the :
“Six Principles of Auditing”
Which every auditor and audit manager must adhere to!
Four Principles
For Auditors and Audit Managers
1. Integrity
The foundation of professionalism
■ To perform the work with honesty, diligence, and responsibility.
■ To observe and respect any applicable legal requirements.
■ To demonstrate technical competence while undertaking work.
■ To perform the work in an impartial manner.
■ To be sensitive to any influences that may be exerted by other interested parties on
their judgment while carrying out an audit.
2. Fair presentation
The obligation to report truthfully and accurately
■ Audit findings, audit conclusions and audit reports should reflect truthfully and
accurately the audit activities.
■ Significant obstacles encountered during the audit and unresolved diverging
opinions between the audit team and the auditee may be reported.
■ The communication has to be truthful, accurate, objective, timely, clear and
complete.
3. Due professional care
The application of diligence and judgement in auditing
■ Auditors should exercise due care in accordance with the importance
of the task they perform and the confidence placed in them by the
audit client and other interested parties.
■ An important factor in carrying out their work with due professional
care, is having the ability to make reasoned judgements in all audit
situations.
4. Confidentiality
Security of information
■ Auditors should be prudent in the use and protection of information acquired in the
course of their duties.
■ Audit information should not be used inappropriately for the personal gain by the
auditor or the audit client or in a manner detrimental to the legitimate interest of the
auditee.
■ This concept includes the proper handling of sensitive, confidential or classified
information.
Plus Two Principles
For Audit Process
1. Independence
The basis for the impartiality of the audit and objectivity of the
audit conclusions
■ Auditors should be independent of the activity being audited and act in a manner
that is free from bias and conflict of interest wherever possible. For internal
audits, auditors should be independent from the operating managers of the
function(s) being audited.
■ Auditors should maintain an objective state of mind throughout the audit process
to ensure that the audit findings and conclusions are based only on the audit
evidence.
■ For small organisations, it may not be possible for internal auditors to be fully
independent of the activity being audited, but every effort should be made to
remove bias and allow for objectivity.
2. Evidence-based approach
The rational method for reaching reliable and reproducible audit
conclusions in a systematic audit process
■ Audit evidence must be verifiable.
■ Evidence must be based on samples of the information available, since an audit is
conducted during a finite period of time and with finite resources.
■ The appropriate use of sampling should be closely related to the confidence that
can be placed on the audit conclusions.
Audit Terminology
Audit Terminology (1)
Audit Criteria:
The set of policies, procedures or requirements that apply to the management
system being audited.
– audit criteria are used as a reference against which audit evidence is
compared
– if the audit criteria are selected from legal or other requirements, the audit
finding is termed compliance or non-compliance
– if the audit criteria are selected from standards (internal or external), the
audit finding is termed a conformity or nonconformity
Audit Terminology (2)
■ Audit Evidence:
– verifiable records, statement of fact or other information which are relevant to
the audit criteria
– audit evidence may be qualitative or quantitative
■ Audit Findings:
– the results of evaluation of the collected audit evidence against audit criteria
which may indicate conformity / non-conformity / opportunity for improvement /
good practices
■ Audit Conclusion:
– is the outcome of an audit, after consideration of the audit objectives and all
audit findings
Audit Terminology (3)
■ Audit Client:
– is the organisation or person requesting an audit
– note - the audit client may be the auditee or any other organisation which
has the regulatory or contractual right to request an audit
■ Auditee:
–
is the organisation being audited
■ Auditor:
– those conducting an audit
Audit Terminology (4)
■ Audit Team:
– is a team of one or more auditors conducting an audit, supported (if needed) by
technical experts
– one auditor of the audit team is appointed as the lead auditor (audit team
leader)
– the audit team may include auditors-in-training
■ Audit Programme:
– the arrangements for a set of one or more audits planned for a specific time
frame and directed towards a specific purpose
■ Audit plan:
–
a description of the activities and arrangements for an audit
Audit Terminology (5)
■ Audit Scope:
– the extent and boundaries of an audit
– Note : The audit scope generally includes a description of the physical
locations, organisational units, activities and processes, as well as the time
period covered.
■ Competence:
– the ability to apply knowledge and skills to achieve intended results
– Note: Ability implies the appropriate application of personal behaviour during
the audit process.
■ Risk:
– the effect of uncertainty on objectives
Audit Terminology (6)
■ Technical Expert:
–
a person who provides specific knowledge or expertise to the audit team
–
Note : Specific knowledge or expertise is that which relates to the organisation, the
process or activity to be audited, or language or culture.
–
Note : A technical expert does not act as an auditor in the audit team.
■ Conformity:
–
the fulfilment of a requirement
■ Nonconformity:
–
the non-fulfilment of a requirement.
■ Guide:
–
a person appointed by the auditee to assist the audit team