4. Audit Principles

A. Have integrity and be professional.

•  Comply with all applicable legal requirements.

•  Withstand the pressures that may be exerted and the
influences that may affect your professional judgment. 

B. Present fair and truthful results.

•  Make sure that audit results are fairly presented.

•  Make sure that important concerns are reported.

C. Exercise due professional care.

•  Perform auditing tasks with due care and diligence.

•  Make reasoned judgments in all audit situations.

D. Care about confidentiality.

•  Care about confidentiality and information security.

•  Handle information with due care and discretion.

E. Be independent and impartial. 

•  Be independent of the activities being audited.

•  Be impartial and always be free of bias.

F. Use an evidence-based approach.

•  Use an evidence-based approach to reach
reliable and reproducible audit conclusions.

5. Audit Program

5.1. Create your audit program (or programme).

•  Establish a management system audit program.

•  Use your audit program to evaluate the overall
effectiveness of your auditee’s management systems.

•  Monitor and measure the implementation
of your management system audit program.

•  Review your management system audit program
in order to identify possible improvements.

5.2. Set your program objectives.

•  Ensure that audit program objectives are established.

•  Make sure that your audit program objectives support
and are consistent with management system objectives.

•  Consider all relevant information when you
establish your audit program objectives.

•  Use program objectives to ensure that your audit
program is implemented and applied effectively.

•  Use program objectives to direct audit planning.

•  Use program objectives to direct audit activities. 

5.3. Establish your audit program.

5.3.1. Perform audit program management tasks.

•  Clarify the extent of your audit program.

•  Define auditors’ roles and responsibilities.

•  Develop procedures to manage audit program.

•  Determine the resources that program needs.

•  Implement and apply your audit program.

•  Establish records for your audit program.

•  Monitor your management system audit program.

•  Review your management system audit program.

•  Improve your management system audit program.

•  Discuss your audit program with top management.

5.3.2. Clarify manager’s competence requirements.

•  Make sure that your audit manager is competent.

•  Make sure that audit manager has the competence
to manage the program efficiently and effectively.

•  Make sure that your audit manager has the
appropriate specialized knowledge and skills.

•  Ensure that audit manager continues to be competent.

•  Ensure that audit manager continues to carry out
appropriate professional development activities.

5.3.3. Specify the extent of your audit program.

•  Establish the extent of your management
system audit program (its focus and reach).

•  Consider the nature of your audits.

•  Consider the nature of your audit criteria.

•  Consider the nature of the auditee organization.

•  Consider the nature of the systems being audited.

•  Consider the nature and results of previous reviews.  

5.3.4. Consider potential audit program risks.

•  Consider the risks that could potentially affect the
achievement of your audit program objectives.

•  Identify and evaluate program planning risks.

•  Identify and evaluate program resource risks.

•  Identify and evaluate program staffing risks.

•  Identify and evaluate program implementation risks.

•  Identify and evaluate program record keeping risks.

•  Identify and evaluate program monitoring risks.

•  Identify and evaluate program review risks. 

5.3.5. Develop procedures to manage program.

•  Establish procedures to manage and control
your management system audit program.

•  Use procedures to manage and control
your management system audit program. 

5.3.6. Identify program resource requirements.

•  Identify financial resource requirements.

•  Identify methodological resource requirements.

•  Identify technological resource requirements.   

•  Identify human resource requirements.

5.4. Implement your audit program.

5.4.1. Apply your unique audit program.

•  Communicate and share pertinent information
about the audit program with all relevant parties.

•  Define objectives for each individual audit.

•  Coordinate and control program activities.

•  Appoint competent audit team members.

•  Provide needed resources to audit teams. 

5.4.2. Define the focus of each individual audit.

•  Define and document the objectives
that each individual audit should achieve.

•  Define and document the scope of each audit.

•  Define and document the criteria that
individual audits use to assess conformity. 

5.4.3. Select methods for each individual audit.

•  Select and determine the methods that
should be used to conduct audits.

•  Make sure that all audit managers agree on audit
methods whenever two or more auditing organizations
need to conduct a joint audit of the same auditee. 

5.4.4. Appoint personnel for each individual audit.

•  Appoint audit team members for each separate audit.

•  Appoint an audit team leader for each separate audit.

•  Appoint technical experts for each separate audit. 

5.4.5. Assign responsibility for individual audits.

•  Assign responsibility for an individual
audit to a specific audit team leader.

•  Give the audit team leader enough time to plan the
audit whenever audit assignments are allocated.

•  Give the audit team leader the information that
he or she needs in order to carry out the audit.  

5.4.6. Manage your audit program outcomes.

•  Ensure that audit program outcomes
are managed efficiently and effectively.

•  Ensure that audit findings are evaluated.

•  Ensure that root cause analyses are reviewed.

•  Ensure that remedial actions are reviewed.

•  Ensure that audit reports are reviewed. 

5.4.7. Establish and maintain audit records.

•  Ensure that audit program records
are established and maintained.

•  Ensure that a record of each individual
audit is established and maintained.

•  Ensure that audit personnel records
are established and maintained. 

5.5. Monitor and modify your program.

•  Monitor the implementation of your program.

•  Modify your audit program whenever
evidence indicates that change is required. 

5.6. Review and improve your program.

•  Review your management system audit program.

•  Summarize your results and report to top management.

•  Improve your management system audit program. 

6. Audit Activities

6.1. Manage your audit activities.   

•  Perform audit activities that comply with your
management system audit program (Part 5). 

6.2. Initiate your audit activities.

6.2.1. Conduct and control audit activities.

•  Make sure that an audit team leader
is appointed for each individual audit.

•  Make sure that audit team leaders
initiate management system audits. 

6.2.2. Establish initial contact with auditee.

•  Establish communications with the auditee.

•  Confirm your agreement with the auditee.

•  Share information with the auditee.

•  Gather information about the auditee.

•  Request access to documents and records.

•  Make arrangements to conduct the audit. 

6.2.3. Determine the feasibility of the audit.

•  Make sure that you are reasonably confident
that your audit objectives can be achieved.

•  Make sure that you have everything you
need to plan and perform your audit. 

6.3. Get ready for your audit.

6.3.1. Perform document review.

•  Select management system documentation for review.

•  Review auditee’s management system documents.

•  Gather information to prepare for audit activities.

•  Establish an overview of system documentation. 

6.3.2. Develop your audit plan.

6.3.2.1 Study source documents.

•  Allocate audit planning responsibility to team leader.

•  Consider how you plan to conduct your audit.

•  Think about how you intend to use your audit plan. 

6.3.2.2 Prepare official audit plan.

•  Prepare your management system audit plan.

•  Discuss your audit plan with the audit client.

•  Present your audit plan to the auditee. 

6.3.3. Assign work to audit team members.

•  Consult with audit team members before
assigning roles and responsibilities.

•  Assign roles and responsibilities to each auditor.

•  Hold team meetings or briefings whenever work
assignments need to be changed or reallocated. 

6.3.4. Prepare audit working papers.

•  Prepare appropriate audit working papers.

•  Use working papers to collect audit information.

•  Control your audit working papers and records.

•  Review your audit working papers and records. 

6.4. Carry out your audit.

6.4.1. Establish audit sequence.

•  Conduct your opening audit meeting.

•  Review auditee’s documents during your audit.

•  Communicate with participants during the audit.

•  Assign responsibilities to guides and observers.

•  Collect and verify information during the audit.

•  Develop and document your audit findings.

•  Discuss and prepare audit conclusions.

•  Present audit findings and conclusions.  

6.4.2. Conduct opening meeting.

•  Plan your opening meeting.

•  Hold your opening meeting.

•  Introduce all participants.

•  Discuss communication channels.

•  Describe how the audit will be conducted.

•  Clarify your approach to risk management.

•  Explain how audit findings will be reported.

•  Confirm that support services will be available.

•  Specify the conditions that could cause
the premature termination of the audit.

•  Identify feedback systems that the auditee
could use to file a complaint or issue an appeal. 

6.4.3. Perform document review.

•  Review relevant documents provided by the auditee.

•  Decide whether or not documents are adequate.

•  Use document review to gather relevant information.

•  Consider reviewing documents throughout the audit. 

6.4.4. Communicate during audit.

•  Consider establishing formal communication
arrangements that can be used during the audit.

•  Communicate with audit team members.

•  Communicate with auditee and audit client.

•  Communicate with external agencies (as required). 

6.4.5. Assign guides and observers.

•  Consider asking or allowing guides and
observers to accompany your audit team.

•  Assign roles and responsibilities
to your audit guides and observers. 

6.4.6. Collect and verify information.

•  Select your information gathering methods.

•  Collect information to support your audit findings.

•  Record evidence used to establish audit findings.

•  Address unusual evidence discovered during audit.  

6.4.7. Generate your audit findings.

•  Establish audit findings by evaluating your audit
evidence and comparing it with your audit criteria.

•  Discuss your audit findings with audit team
members whenever necessary or appropriate. 

6.4.8. Prepare your audit conclusions.

•  Review audit findings and other related information.

•  Discuss and consider your audit conclusions.

•  Formulate and document your audit conclusions.

•  Prepare recommendations (if audit plan requires it).

•  Consider audit follow-up (whenever this is applicable). 

6.4.9. Present findings and conclusions.

•  Plan your closing meeting.

•  Hold your closing meeting.

•  Explain your audit methods.

•  Present your audit findings.

•  Describe your audit conclusions.

•  Make recommendations (if appropriate).

•  Discuss diverging opinions (if any).

•  Develop a post-audit action plan. 

6.5. Report your audit results.

6.5.1. Prepare your audit report.

•  Consider reporting options and plan your audit report.

•  Prepare your management system audit report.

•  Include or refer to your audit objectives.

•  Specify or refer to the scope of your audit.

•  Identify or refer to sponsors and participants.

•  Mention or refer to your audit agenda.

•  Discuss or reference your audit criteria.

•  Present or refer to your audit findings.

•  Document or refer to your audit conclusions. 

6.5.2. Distribute your audit report.

•  Finalize your management system audit report in
accordance with your audit program procedures.

•  Distribute your management system audit report in
accordance with your audit procedures or audit plan. 

6.6. Complete your audit.

•  Verify that your audit has been completed.

•  Protect audit documents and related information.

•  Keep a record of lessons learned during the audit.

6.7. Follow-up on your audit.

•  Consider whether remedial actions should be taken.

•  Ask auditee to provide remedial action status reports.

•  Verify that remedial actions were actually taken. 

7. Auditor Competence

7.1. Establish an auditor evaluation process.

•  Develop a process to evaluate audit team members.

•  Plan the evaluation of your audit team members.

•  Evaluate the competence of audit team members.

•  Maintain the competence of audit team members.

•  Improve the competence of audit team members. 

7.2. Define auditor competence requirements.

7.2.1. Consider the work that auditors need to do.

•  Consider the work your auditors are
expected to do when you think about the
knowledge and skill they should have.

•  Consider the nature of your audit program.

•  Consider the organizations to be audited

•  Consider the management systems to be audited.

•  Consider the requirements that must be met. 

7.2.2. Be a professional and have good character.

•  Behave in a professional manner and exhibit good
character whenever you're acting as an auditor.

•  Be ethical (be truthful and honest).

•  Be versatile (be adaptable and flexible).

•  Be perceptive (be attentive and watchful).

•  Be receptive (be willing to learn and improve).

•  Be observant (be aware of your surroundings).

•  Be collaborative (be capable of working with others).

•  Be open-minded (be willing to consider alternatives).

•  Be decisive (be able to draw timely conclusions).

•  Be tenacious (be persistent and focused).

•  Be self-reliant (be able to act independently).

•  Be diplomatic (be tactful and try to be discreet).

•  Be respectful (be sensitive to the auditee's culture). 

7.2.3. Possess appropriate knowledge and skills.

7.2.3.1 Possess knowledge needed to achieve results.

•  Possess the knowledge and skill that you need in
order to be able to achieve intended audit results.

•  Possess the knowledge and skill that you need
in order to provide leadership to your audit team. 

7.2.3.2 Possess necessary generic knowledge and skills.

A. Have generic auditing knowledge and skills.

•  Possess the knowledge and skill that you need
in order to ensure that your audits are conducted
in a systematic and consistent manner.

•  Be able to plan audits and organize work.

•  Be able to collect appropriate information.

•  Be able to prioritize and focus on important matters.

•  Be able to understand and use auditing knowledge.

•  Be able to understand and consider expert opinion.

•  Be able to verify accuracy of information collected.

•  Be able to use working papers to record activities.

•  Be able to evaluate the adequacy of audit evidence.

•  Be able to meet confidentiality and security needs.

•  Be able to document findings and conclusions.

•  Be able to communicate clearly and effectively.

•  Be able to stay on schedule and finish on time.

•  Be able to prepare appropriate audit reports.

•  Be able to comprehend auditing risks. 

B. Have management system knowledge and skills.

•  Possess the knowledge and skill that will ensure
that you comprehend your audit scope and apply
your audit criteria.

•  Understand and know how to use audit criteria.

•  Understand how management system standards
have been applied by organizations in general.

•  Understand management system components
and how they interact with one another.

•  Understand all relevant reference documents.

C. Have organizational knowledge and skills.

•  Possess the knowledge and skill that will ensure that
you comprehend the auditee organization's structure,
business, and management practices.

•  Understand organizational types and functions.

•  Understand general business concepts and terms.

•  Understand cultural and social characteristics. 

D. Have relevant legal knowledge and skills.

•  Possess the knowledge and skill that will ensure that
you are aware of, and will comply with, the auditee
organization's legal and contractual requirements.

•  Understand relevant legal jurisdictions.

•  Understand relevant governing agencies.

•  Understand relevant legal concepts.

•  Understand relevant laws and regulations. 

7.2.3.3 Possess specialized auditing knowledge and skills.

•  Possess the discipline-specific and sector-specific
knowledge and skill that you need in order to be able to
audit specialized management systems and sectors, to
evaluate auditees' activities, processes, and products,
and to generate appropriate audit findings and reach
valid conclusions.

•  Understand management system concepts.

•  Understand legal requirements and obligations.

•  Understand the expectations of interested parties.

•  Understand discipline-specific fundamentals.

•  Understand risk management methodologies.

7.2.3.4 Possess team leadership knowledge and skills.

•  Possess the additional management and leadership
knowledge and skill that is needed in order to be able
to ensure that audit teams are efficient and effective. 

•  Understand how to manage the audit process.

•  Understand how to communicate with people.

•  Understand how to balance the strengths and
weaknesses of individual audit team members.

•  Understand how to develop harmonious working
relationships amongst audit team members.

•  Understand how to help audit team
members reach reliable audit conclusions.

•  Understand how to prepare and complete
accurate, clear, and concise audit reports. 

7.2.3.5 Possess multidisciplinary knowledge and skills.

•  Possess the discipline-specific competence that you
need in order to be able to audit multiple management
systems that involve multiple disciplines.  

•  Possess the competence needed to audit at least
one of the management systems and understand
how the various management systems interact. 

7.2.4. Get appropriate auditing knowledge and skills.

•  Use formal education to acquire needed sector-specific and
discipline-specific management system knowledge and skill.

•  Use practical training services to acquire the
appropriate auditing knowledge and skill.

•  Use work experience to acquire general technical,
managerial, and professional knowledge and skill.  

7.2.5. Encourage team leaders to get experience.

•  Acquire additional audit experience by working
under the direction and guidance of other
knowledgeable audit team leaders. 

7.3. Develop auditor evaluation criteria.

•  Select qualitative auditor evaluation criteria.

•  Select behavioral and character based criteria.

•  Select knowledge and skill based criteria.

•  Select quantitative auditor evaluation criteria. 

7.4. Select auditor evaluation methods.

•  Select two or more auditor evaluation methods.

•  Consider using record reviews to evaluate auditors.

•  Consider using feedback to evaluate auditors.

•  Consider using interviews to evaluate auditors.

•  Consider using observation to evaluate auditors.

•  Consider using audit reviews to evaluate auditors. 

•  Consider using testing to evaluate auditors.

7.5. Evaluate the competence of auditors.

•  Evaluate your management system auditors.

•  Compare the information collected about the auditor
against your particular auditor evaluation criteria.

•  Help auditors to improve whenever they fail to
meet your audit program's evaluation criteria.

•  Encourage auditors to get more training.

•  Encourage auditors to get more experience. 

7.6. Maintain and improve auditor competence.

•  Maintain and continually improve the competence
of both auditors and audit team leaders.

•  Update your professional development activities
whenever relevant requirements change.

•  Establish suitable evaluation mechanisms that you
can use to continually evaluate the performance of
both auditors and audit team leaders.