ISO 19011:2018 Clause 5.5.7 Managing and maintaining audit programme records

ISO 19011:2018 9 Minutes

The individual(s) managing the audit programme should ensure that audit records are generated, managed and maintained to demonstrate the implementation of the audit programme. Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed.
Records can include the following:
a) Records related to the audit programme, such as:
— schedule of audits;
— audit programme objectives and extent;
— those addressing audit programme risks and opportunities, and relevant external and internal issues;
— reviews of the audit programme effectiveness.
b) Records related to each audit, such as:
— audit plans and audit reports;
— objective audit evidence and findings;
— nonconformity reports;
— corrections and corrective action reports;
— audit follow-up reports.
c) Records related to the audit team covering topics such as:
— competence and performance evaluation of the audit team members;
— criteria for the selection of audit teams and team members and formation of audit teams;
— maintenance and improvement of competence.
The form and level of detail of the records should demonstrate that the objectives of the audit
programme have been achieved.

The individuals managing the audit programme should ensure that audit records are generated, managed and maintained to demonstrate the implementation of the audit programme. The management of audit records is a crucial aspect of maintaining the integrity and effectiveness of an audit program. The audit records serve as documented evidence of the audit activities and provide a basis for assessing the implementation of the audit program. Here are some key points regarding the management of audit records:

  1. Generation of Records: Ensure that comprehensive and accurate audit records are generated during each audit activity. This includes documentation of planning, execution, and reporting phases of the audit.
  2. Consistency and Standardization:Establish consistent and standardized formats for recording audit information. This helps in organizing and retrieving information efficiently.
  3. Timely Documentation: Encourage the timely documentation of audit activities. This ensures that records are current and reflect the most recent state of the audit program.
  4. Storage and Retrieval: Implement a secure and organized system for storing audit records. This may involve both physical and electronic storage, depending on the nature of the records.
  5. Access Controls: Define and enforce access controls to protect the confidentiality and integrity of audit records. Only authorized personnel should have access to sensitive audit information.
  6. Retention Period: Establish a policy for the retention period of audit records. This policy should consider regulatory requirements and the need for historical data.
  7. Audit Trail: Maintain an audit trail that captures changes or modifications made to audit records. This helps in preserving the integrity of the audit information.
  8. Review and Verification: Periodically review and verify the completeness and accuracy of audit records. This can be part of ongoing quality assurance efforts.
  9. Demonstration of Implementation: Use audit records as evidence to demonstrate the effective implementation of the audit program. This is essential for internal reviews, external audits, and continuous improvement initiatives.
  10. Documentation of Corrective Actions: If any discrepancies or non-conformities are identified during the audit, ensure that records include documentation of corrective actions taken.
  11. Training and Awareness: Provide training to personnel involved in the audit program on the proper methods of record keeping. Foster awareness of the importance of maintaining accurate and complete records.

By adhering to these principles, the individuals managing the audit program can ensure that audit records not only meet regulatory requirements but also contribute to the overall success and improvement of the audit program.

Processes should be established to ensure that any information security and confidentiality needs associated with the audit records are addressed.

Here are key processes that should be established to address information security and confidentiality needs associated with audit records:

  1. Access Control Policies:
    • Develop and implement access control policies to restrict access to audit records only to authorized personnel. This includes defining user roles and permissions based on job responsibilities.
  2. Authentication Mechanisms:
    • Implement strong authentication mechanisms to verify the identity of individuals accessing audit records. This may include the use of usernames, passwords, multi-factor authentication, or other secure authentication methods.
  3. Encryption of Audit Records:
    • Employ encryption techniques to protect the confidentiality of audit records, both in transit and at rest. This ensures that even if unauthorized access occurs, the data remains secure.
  4. Secure Storage:
    • Establish secure storage facilities for both physical and electronic audit records. Physical records should be stored in locked cabinets or rooms, while electronic records should be stored on secure servers with access controls.
  5. Role-Based Access Control (RBAC):
    • Implement RBAC to ensure that individuals have access only to the audit records relevant to their roles and responsibilities. This helps minimize the risk of unauthorized access.
  6. Audit Trail Monitoring:
    • Implement an audit trail system that logs all access and modifications to audit records. Regularly review and monitor these audit trails to detect and investigate any suspicious activities.
  7. Secure Transmission of Audit Information:
    • When transmitting audit information, use secure communication channels. This may involve encrypting emails, using secure file transfer protocols, or employing virtual private networks (VPNs) for remote access.
  8. Training and Awareness Programs:
    • Conduct training programs to educate personnel involved in the audit program about the importance of information security and confidentiality. This includes raising awareness about potential risks and best practices for safeguarding audit records.
  9. Incident Response Plan:
    • Develop and maintain an incident response plan specific to potential security incidents involving audit records. This plan should outline steps to be taken in the event of a security breach and should include communication protocols.
  10. Regular Security Audits and Reviews:
    • Conduct regular security audits and reviews of the systems and processes handling audit records. This helps identify vulnerabilities and ensures that security controls remain effective.
  11. Legal and Regulatory Compliance:
    • Ensure that the processes for securing audit records align with relevant legal and regulatory requirements, such as data protection laws, industry standards, and any specific regulations applicable to the organization.
  12. Secure Disposal Procedures:
    • Establish secure procedures for the disposal of audit records that are no longer needed. This includes both physical records and electronic data, ensuring that information is properly deleted or destroyed.

By integrating these processes into the management of audit programs, organizations can establish a robust framework for ensuring the security and confidentiality of audit records throughout their lifecycle.

During ISO audit, the following Records related to the audit programme should be established, such as

  1. Schedule of Audits:
    • Purpose: To document the planned timing and sequence of audits.
    • Content: Details of scheduled audits, including dates, locations, and the specific areas or processes to be audited.
  2. Audit Programme Objectives and Extent:
    • Purpose: To outline the objectives and scope of the audit program.
    • Content: Clearly defined objectives, goals, and the extent of the audit program, specifying what will be covered and the criteria against which audits will be conducted.
  3. Audit Programme Risks and Opportunities:
    • Purpose: To identify and address potential risks and opportunities associated with the audit program.
    • Content: Documentation of identified risks and opportunities, along with strategies and actions planned to mitigate risks and capitalize on opportunities.
  4. External and Internal Issues:
    • Purpose: To capture factors that may impact the audit program, both internally and externally.
    • Content: Identification and documentation of relevant external and internal issues, such as changes in legislation, organizational restructuring, or technological advancements that may affect the audit program.
  5. Reviews of Audit Programme Effectiveness:
    • Purpose: To assess the performance and effectiveness of the audit program.
    • Content: Records of periodic reviews, evaluations, or assessments conducted to ensure that the audit program is achieving its objectives and adhering to relevant standards.

These records collectively contribute to the systematic planning, implementation, and improvement of the audit program, aligning with ISO standards. They also provide evidence during external audits that the organization is actively managing its audit processes and addressing risks and opportunities.Remember that maintaining accurate and up-to-date records is not only a requirement for compliance but also a good practice for continual improvement. Regularly reviewing and updating these records helps organizations adapt to changes and enhance the effectiveness of their audit programs over time.

During ISO audit, the following Records related to the each audit be established, such as

  1. Audit Plans:
    • Purpose: To outline the scope, objectives, and approach for the specific audit.
    • Content: Details such as audit criteria, scope, objectives, criteria for selection of auditees, and planned audit activities.
  2. Audit Reports:
    • Purpose: To document the results of the audit and communicate findings.
    • Content: Summarizes audit activities, presents audit findings, and includes conclusions and recommendations. It serves as a formal record of the audit process.
  3. Objective Audit Evidence and Findings:
    • Purpose: To provide documented evidence of audit activities and findings.
    • Content: Records of observations, interviews, documents reviewed, and any other evidence collected during the audit. Findings include both conformities and nonconformities.
  4. Nonconformity Reports:
    • Purpose: To document instances where the audited processes do not conform to the specified criteria.
    • Content: Details of nonconformities, including the nature of the nonconformity, its location, the criteria it violates, and any relevant evidence. Nonconformity reports are crucial for initiating corrective actions.
  5. Corrections and Corrective Action Reports:
    • Purpose: To address and rectify identified nonconformities.
    • Content: Records detailing the corrective actions taken to address nonconformities, including the root cause analysis, corrective actions implemented, and verification of their effectiveness.
  6. Audit Follow-Up Reports:
    • Purpose: To document the results of follow-up activities to verify the effectiveness of corrective actions.
    • Content: Details of follow-up activities, including the verification of implemented corrective actions, any further actions taken, and the final disposition of the nonconformity.

Maintaining these records provides a systematic and documented approach to auditing, aligning with ISO standards. These records serve as evidence of the organization’s commitment to continual improvement, corrective action, and compliance with established processes and standards. During ISO audits, external auditors will typically review these records to assess the effectiveness of the organization’s management system.

During ISO audit, the following Records related to the audit teams should be established, such as

  1. Competence and Performance Evaluation of Audit Team Members:
    • Purpose: To ensure that audit team members possess the necessary skills and knowledge to effectively carry out their roles.
    • Content: Documentation of assessments, evaluations, and training records that demonstrate the competence and performance of individual audit team members. This may include certifications, training completion records, and feedback from audit activities.
  2. Criteria for the Selection of Audit Teams and Team Members:
    • Purpose: To define the criteria used in the selection process for forming audit teams.
    • Content: Clearly defined criteria for selecting individuals to be part of audit teams. This may include expertise in specific areas, relevant experience, and other qualifications.
  3. Formation of Audit Teams:
    • Purpose: To document the process of assembling audit teams for specific audits.
    • Content: Records outlining the selection of individuals for specific audits, considering the criteria established. This may include team composition, roles, and responsibilities assigned to each team member.
  4. Maintenance and Improvement of Competence:
    • Purpose: To ensure that the audit team continually enhances its competence.
    • Content: Documentation of ongoing training, professional development, and other activities aimed at maintaining and improving the competence of audit team members. This may include records of training sessions, workshops, certifications, and feedback mechanisms.

Establishing and maintaining these records is crucial for demonstrating the effectiveness and reliability of the audit team. It also aligns with ISO requirements related to competence and continual improvement. During ISO audits, these records provide evidence that the organization has a systematic approach to managing the competency of its audit team, contributing to the overall success of its audit program.

The form and level of detail of the records should demonstrate that the objectives of the audit
programme have been achieved. The form and level of detail of records play a crucial role in demonstrating the achievement of the objectives of the audit program. These records serve as tangible evidence that the audit program is effectively planned, implemented, and monitored. Here are some considerations regarding the form and level of detail of records to achieve audit program objectives:

  1. Clarity and Transparency: Records should be clear and transparent, providing a straightforward representation of the audit program objectives, activities, and outcomes. Ambiguity in records can lead to misinterpretation and hinder the demonstration of achievement.
  2. Alignment with Objectives: The records should directly align with the established objectives of the audit program. This includes detailing how each aspect of the audit, from planning to reporting, contributes to the overall goals of the program.
  3. Comprehensive Documentation: Ensure that records are comprehensive, covering all relevant aspects of the audit program. This includes schedules, plans, reports, and any other documentation that supports the audit process.
  4. Consistency Across Records: Maintain consistency in the level of detail across different types of records. This ensures that there is coherence in the information presented, making it easier to follow the audit program’s progress and outcomes.
  5. Evidence of Implementation: Records should serve as evidence of the actual implementation of the audit program. They should clearly depict the execution of planned activities, adherence to established criteria, and the effectiveness of the audit process.
  6. Traceability and Accountability: Establish a clear traceability in records, linking each phase of the audit program to its corresponding objectives. This enhances accountability and allows for a straightforward assessment of whether the program is meeting its intended goals.
  7. Measurable Indicators: Use measurable indicators within records to quantify achievements and progress. This could include completion rates, adherence to timelines, and the successful resolution of nonconformities.
  8. Feedback and Improvement Documentation: Include records related to feedback received and improvements made during and after the audit program. This demonstrates a commitment to learning from experiences and continually enhancing the effectiveness of the program.
  9. Audit Program Reviews: Document the results of periodic reviews of the audit program’s effectiveness. These reviews should assess whether the program is meeting its objectives and identify areas for improvement.
  10. Accessibility and Retrieval: Ensure that records are easily accessible and retrievable. This facilitates external audits and assessments while also supporting internal reviews and continuous improvement efforts.

By focusing on these considerations, organizations can create records that not only fulfill compliance requirements but also provide a robust and compelling narrative of the audit program’s success in achieving its objectives. This, in turn, contributes to the overall effectiveness of the organization’s management system and processes.

.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply