Audit Program Risks
According to ISO 19011:2018, Guidelines for auditing management systems, a main difference
compared to ISO 19011:2011, is the expansion of the guidance on managing an audit program,
including audit program risk.
An “audit program” is defined in clause 3.4 as the arrangements for a set of one or more audits
planned for a specific timeframe and directed towards a specific purpose.
According to clause 5.1, the extent of an audit program should be based on the size and nature of
the auditee, as well as, on the nature, functionality, complexity, the type of risks and opportunities,
and the level of maturity of the management systems to be audited.
The guidance also states that audit priority should be given to allocating resources and methods to
matters in a management system with higher inherent risk and lower level of performance.
Program Objectives
Audit program objectives should be consistent with the audit client’s strategic direction and
support management system policy and objectives. Clause 5.2 identifies multiple factors for setting
audit program objectives, including any identified risks and opportunities to the auditee.
Program Risks
There are risks and opportunities related to the context of the auditee that can be associated with
an audit program and can affect the achievement of its objectives. The audit program manager
should identify and present to the audit client the risks and opportunities considered when
developing the audit program and resource requirements, so that they can be addressed
appropriately.
According to clause 5.3, there can be risks associated with the following:
1. Planning, e.g., failure to set relevant audit objectives and determine the extent, number, duration,
locations
and
schedule
of
the
audits;
2. Resources, e.g., allowing insufficient time, equipment and/or training for developing the audit
program
or
conducting
an
audit;
3. Selection of the audit team, e.g., insufficient overall competence to conduct audits effectively;
4. Communication, e.g., ineffective external/internal communication processes/channels;
5. Implementation, e.g., ineffective coordination of the audits within the audit program, or not
considering
information
security
and
confidentiality;
6. Control of documented information, e.g., ineffective determination of the necessary documented
information required by auditors and relevant interested parties, failure to adequately protect audit
records
to
demonstrate
audit
program
effectiveness;
7. Monitoring, reviewing and improving the audit program, e.g., ineffective monitoring of audit
program
outcomes;
8. Availability and cooperation of auditee and availability of evidence to be sampled.
Program Manager
Clause 5.4.1 provides a list of the roles and responsibilities of the audit program manager. One of
the responsibilities is to determine the external and internal issues, and risks and opportunities that
can affect the audit program, and implement actions to address them, integrating these actions in
all relevant auditing activities, as appropriate.
According to clause 5.4.2, the audit program manager should have the necessary competence to
manage the program and its associated risks and opportunities, and external and internal issues,
effectively and efficiently.
The competence of the audit program manager should include knowledge of:
1.
Audit
principles,
methods,
and
processes;
2. Management system standards, other relevant standards, and reference documents;
3.
Information
regarding
the
auditee
and
its
context;
4. Legal requirements relevant to the business activities of the auditee.
As appropriate, knowledge of risk management, project and process management, and information
and communications technology may be considered.
Clause 5.4.3 identifies multiple factors to be considered by the audit program manager when the
extent of the audit program is being established, including:

Significant changes to the auditee’s context or operations, and related risks and opportunities;

Occurrence of internal and external events, such as nonconformities of products or service,
information security leaks, health and safety incidents, criminal acts, or environmental incidents;

Business risks and opportunities, including actions to address them.
Program Resources
When determining resources for the audit program, the audit program manager should consider
the factors listed in clause 5.4.4, including the extent of the audit program and its risks and
opportunities.
Program Implementation
Once the audit program has been established, and related resources have been determined, it is
necessary to implement the operational planning and the coordination of all the activities
within the program.
According to clause 5.5, the audit program manager should communicate the relevant parts of the
audit program, including the risks and opportunities involved, to relevant interested parties and
inform them periodically of its progress, using established external and internal communication
channels.
The audit program manager should also ensure the conduct of audits in accordance with the audit
program, managing all operational risks, opportunities, and issues (i.e., unexpected events), as they
arise during the deployment of the program.
Individual Audits
Clause 5.5.2 states that the objectives for an individual audit are to define what is to be
accomplished by the audit and may include:
1. Determining the extent of conformity of the management system to be audited, or parts of it,
with
the
audit
criteria;
2. Evaluating the capability of the management system to assist the organization in meeting
relevant legal requirements and other requirements to which the organization is committed;
3. Evaluating the effectiveness of the management system in meeting its intended results;
4. Identifying opportunities for potential improvement of the management system;
5. Evaluating the suitability and adequacy of the management system with respect to the context
and
strategic
direction
of
the
auditee;
6. Evaluating the capability of the management system to establish and achieve objectives and
effectively address risks and opportunities, in a changing context, including the implementation of
the related actions.
The scope of an individual audit should be consistent with the audit program and audit objectives.
It includes such factors as locations, functions, activities. and processes to be audited, as well as,
the time-period covered by the audit.
The audit criteria are used as a reference against which conformity is determined. These may
include one or more of the following: applicable policies, processes, procedures, performance
criteria (including objectives), legal requirements, management system requirements, information
regarding the context, and the risks and opportunities as determined by the auditee, sector codes
of conduct, or other planned arrangements.
Audit Methods
Clause 5.5.3 states that the audit program manager should select and determine the methods for
effectively and efficiently conducting an audit, depending on the defined audit objectives, scope,
and criteria.
Audits can be performed on-site, remotely, or as a combination. The use of these methods should
be suitably balanced, based on, among others, consideration of associated risks and opportunities.
According to Annex A.1, the feasibility of remote audit activities can depend on several factors,
e.g., the level of risk to achieving the audit objectives, the level of confidence between auditor and
auditee’s personnel, and regulatory requirements.
Sampling
The risk associated with sampling is that the samples may not be representative of the population
from which they are selected. Therefore, the auditor’s conclusion may be biased and different from
that which would be reached if the entire population was examined. There may be
other risks depending on the variability within the population to be sampled and the method
chosen.
Lead Auditor
To ensure the effective conduct of an individual audit, clause 5.5.5 lists information that should be
provided to the audit team leader, including the information needed for evaluating and addressing
identified risks and opportunities to the achievement of the audit objectives.
Audit Records
The audit program manager should ensure that audit records are generated, managed, and
maintained to demonstrate the implementation of the audit program. Processes should be
established to ensure that any information security and confidentiality needs associated with the
audit records are addressed.
Clause 5.5.7 lists examples of audit records, including those addressing audit program risks and
opportunities, and relevant external and internal issues.
Program Improvements
The audit program manager and the audit client should review the audit program to assess whether
its objectives have been achieved. Lessons learned from the audit program review should be used
as inputs for the improvement of the program.
Clause 5.7 states that the audit program review should consider multiple topics, including the
effectiveness of the actions to address the risks and opportunities, and internal and external issues
associated with the audit program.
Auditor Training
Our onsite “Internal Auditor” courses have been updated for the revised guidance in ISO
19011:2018. Please see our website to view our Internal Auditor course descriptions for the ISO
9001:2015, ISO 14001:2015, ISO 45001:2018, AS9100:2016, AS9110:2016, AS9120:2016, ISO
13485:2016, and ISO 27001:2013 management system standards.