Audit

An audit is an evidence gathering process. Audit evidence is
used to evaluate how well audit criteria are being met. Audits
must be objective, impartial, and independent, and the audit
process must be both systematic and documented.

There are three types of audits: first-party, second-party, and
third-party. First-party audits are internal audits. Second and
third party audits are external audits.

Organizations use first party audits to audit themselves. First
party audits are used to confirm or improve the effectiveness
of management systems. They're also used to declare that an
organization complies with an ISO standard (this is called a
self-declaration). Of course, such a declaration is credible
only if first party auditors are genuinely independent and
free of bias. If you decide to use first party auditors to
make a self-declaration of compliance, make sure
that they aren't auditing their own work.

Second party audits are external audits. They’re usually
done by customers or by others on their behalf. However,
they can also be done by regulators or any other external
party that has a formal interest in an organization.

Third party audits are external audits as well. However,
they’re performed by independent organizations such
as registrars (certification bodies) or regulators.

ISO 19011 2011 also distinguishes between combined
audits and joint audits. When two or more management
systems of different disciplines are audited together at the
same time, it's called a combined audit; and when two or
more auditing organizations cooperate to audit a single
auditee organization it's called a joint audit.

ISO 19011 2011 should be used by those who carry out
first and second party audits. ISO/IEC 17021 2011 should
be used by those who carry out third party audits.

Auditee

An auditee is an organization (or part of an organization)
that is being audited. Organizations can include companies,
corporations, enterprises, firms, charities, associations,
and institutions. Organizations can be either incorporated or
unincorporated and can be privately or publicly owned.

Auditor

An auditor is a person who carries out audits. Auditors collect
evidence in order to evaluate how well audit criteria are being met.
They must be objective, impartial, independent, and competent.

ISO 19011 distinguishes between internal and external auditors.
Internal auditors perform first party audits while external auditors
perform second and third party audits.

Audit client

An audit client is any person or organization that requests an
audit. Internal audit clients can be either the auditee or audit
program manager whereas external audit clients can include
regulators or customers or any other parties that have a legal
or contractual right or obligation to carry out an audit.

Audit conclusions

Audit conclusions are drawn by the audit team after the audit
has been completed and after audit findings and audit objectives
have been considered. Audit findings result from a process that
evaluates audit evidence and compares it against audit criteria.

Audit criteria

Audit criteria include policies, procedures, and requirements.
Audit evidence is used to determine how well audit criteria are
being met. Audit evidence is used to determine how well policies
are being implemented, how well procedures are being applied,
and how well requirements are being followed.

When requirements are used as audit criteria, auditors often use
the terms conformity and nonconformity to indicate whether or not
requirements are being met. However, when legal requirements are
used as audit criteria, auditors tend to use the terms compliance
and noncompliance (instead of conformity and nonconformity).

Audit evidence

Audit evidence includes records, factual statements, and other
verifiable information that is related to the audit criteria being used.
Audit criteria include policies, procedures, and requirements.

Audit evidence can be either qualitative or quantitative.
Objective evidence is information that shows or proves
that something exists or is true.

Audit findings

Audit findings result from a process that evaluates audit
evidence and compares it against audit criteria. Audit findings
can show that audit criteria are being met (conformity) or that
they are not being met (nonconformity). They can also identify
best practices or improvement opportunities.

Audit evidence includes records, factual statements, and other
verifiable information that is related to the audit criteria being used.
Audit criteria include policies, procedures, and requirements.

Audit plan

An audit plan specifies how you intend to conduct a particular
audit. It describes the activities you intend to carry out in order
to achieve your audit objectives.

An audit is an evidence gathering process. Audit evidence
is used to evaluate how well audit criteria are being met.

Audit program

An audit program (or programme) is a set of arrangements that
are intended to achieve a specific audit purpose within a specific
time frame. It includes all of the activities and resources needed
to plan, organize, and conduct one or more audits.

ISO 19011 expects organizations to appoint audit program
managers. They are responsible for setting objectives, assigning
responsibilities, allocating resources, and monitoring performance.

Audit scope

The scope of an audit is a statement that specifies the focus, extent,
and boundary of a particular audit. The scope can be specified by
defining the physical location of the audit, the organizational units
that will be examined, the processes and activities that will be
included, and the time period that will be covered.

Audit team

An audit team is made up of one or more auditors, one of whom is
appointed to be the audit leader. The audit team may also include
audit trainees.

When necessary, audit teams are also supported by guides and
technical experts. Guides and technical experts assist auditors
but do not themselves act as auditors.

Competence

Competence means being able to apply knowledge and skill
to achieve intended results. Being competent means having the
knowledge and skill that you need and knowing how to apply it.
Being competent means that you know how to do your job.

Conformity

Conformity is the "fulfillment of a requirement". To conform means
to meet or comply with requirements. There are many types
of requirements. There are management system requirements,
customer requirements, contractual requirements, regulatory
requirements, statutory requirements and so on.

Guide

Guides are appointed by auditee organizations to help auditors.
However, they may not influence or interfere with the conduct of
an audit. Guides are expected to identify potential interviewees, to
confirm interview schedules, to arrange access to auditee locations,
and to make sure that auditors and observers are familiar with all
relevant safety and security procedures. They may also be asked
to help auditors collect information and provide clarification.

Management system

A management system is a set of interrelated or interacting
elements that organizations use to establish and implement
policies and set and achieve objectives.

There are many types of management systems. Some of
these include quality management systems, environmental
management systems, emergency management systems, food
safety management systems, occupational health and safety
management systems, information security management
systems, and business continuity management systems.

Nonconformity

Nonconformity is the "non-fulfillment of a requirement". It is a
failure to comply with requirements. A requirement is a need,
expectation, or obligation. It can be stated or implied by an
organization, its customers, or other interested parties.

Observer

Observers accompany auditors and witness audit activities.
However, they're not audit team members and therefore do
not perform audit functions. They may not influence or interfere
with the audit. Observers can represent auditee organizations,
regulators, or any other interested party.

Risk

According to ISO Guide 73, risk is the “effect of uncertainty on
objectives” and an effect is a positive or negative deviation from
what is expected. So, risk is the chance that there will be a positive
or negative deviation from the objective you hope to achieve.

Technical expert

Technical experts support audit teams by providing specific
expertise or knowledge about the organization, process, or
activity being audited or about the auditee's language or
culture. They do not act as auditors.

The above definitions are based on ISO 19011 2011, section 3,
Terms and definitions. We've translated these definitions into
Plain English in order to make them easier to understand.

MORE ISO 19011 PAGES

Introduction to Auditing Standard

Brief Overview of Auditing Standard

ISO 19011 2011 Translated into Plain English

How to Use ISO 19011 To Audit Your Audit Program

Annex A: Knowledge and Skills Auditors Should Have

Annex B: Planning and Performing Management System Audits

Home Page

How to Order

Praxiom Research Group Limited     help@praxiom.com     780-461-4514

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2012 - 2016 by Praxiom Research Group Ltd. All Rights Reserved.