ISO 19011:2018 Clause 6.3.4 Preparing documented information for audit

ISO 19011:2018 11 Minutes

The audit team members should collect and review the information relevant to their audit assignments and prepare documented information for the audit, using any appropriate media. The documented information for the audit can include but is not limited to:
a) physical or digital checklists;
b) audit sampling details;
c) audio visual information.
The use of these media should not restrict the extent of audit activities, which can change as a result of information collected during the audit.
Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as specified in the audit programme. Documented information created during the audit process involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members.

The audit team members should collect and review the information relevant to their audit assignments and prepare documented information for the audit, using any appropriate media. The collection and review of relevant information are critical steps in the audit process. Here are key considerations related to this activity:

  1. Information Collection:
    • Scope Relevance: Ensure that the collected information is directly relevant to the scope and objectives of the audit assignments.
    • Comprehensive Coverage: Strive for a comprehensive collection of data, covering all aspects pertinent to the audit tasks.
  2. Documented Information Preparation:
    • Clarity and Accuracy: Prepare documented information with clarity and accuracy, ensuring that it effectively communicates relevant details.
    • Consistent Format: Maintain a consistent format for documented information to facilitate understanding and review.
  3. Media Utilization:
    • Appropriate Media: Use appropriate media (e.g., electronic documents, spreadsheets, reports) for preparing and presenting documented information.
    • Efficiency: Choose media that enhance efficiency in information preparation and review processes.
  4. Audit Objectives Alignment:
    • Direct Alignment: Ensure that the collected and documented information directly aligns with the audit objectives, criteria, and scope.
    • Avoid Extraneous Details: Exclude information that is not directly related to the audit objectives to maintain focus.
  5. Cross-Verification:
    • Cross-Check Information: Cross-verify the accuracy and consistency of collected information with multiple sources when possible.
    • Validation of Data: Validate data to ensure its reliability and relevance to the audit assignments.
  6. Quality Assurance:
    • Quality Control Measures: Implement quality assurance measures to verify the quality of documented information.
    • Peer Review: Encourage peer reviews to identify any errors or omissions and enhance the overall quality of documented information.
  7. Legal and Ethical Compliance:
    • Adherence to Legal Standards: Ensure that the collection and use of information comply with legal and ethical standards.
    • Confidentiality: Safeguard confidential information and adhere to data protection regulations.
  8. Timeliness:
    • Adherence to Schedule: Collect and review information within the established timelines to avoid delays in the audit process.
    • Real-Time Updates: Provide real-time updates to the audit team leader and other relevant stakeholders on information collection progress.
  9. Relevance to Risk Assessment:
    • Risk Identification: Ensure that the collected information is relevant to the identification and assessment of risks associated with the audit assignments.
    • Risk Mitigation: Use information to develop strategies for mitigating identified risks.
  10. Effective Communication:
    • Clear Presentation: Present documented information in a clear and understandable manner.
    • Communication Alignment: Ensure that the documented information effectively communicates the findings and insights related to the audit assignments.
  11. Accessibility and Storage:
    • Secure Storage: Safely store documented information in a secure and accessible location.
    • Version Control: Implement version control mechanisms to track changes and updates to documented information.
  12. Continuous Monitoring:
    • Ongoing Collection: Continue to monitor and collect information throughout the audit process, adapting strategies as needed based on emerging findings.
  13. Audit Team Collaboration:
    • Team Input: Encourage collaboration among audit team members in the collection and review of information.
    • Regular Updates: Share updates and insights with the team to foster a collaborative and informed approach.

By adhering to these considerations, audit team members can contribute to the effectiveness and reliability of the audit process, ensuring that the information collected and documented supports the achievement of audit objectives.

The documented information for the audit can include but is not limited to physical or digital checklists, audit sampling details and audio visual information. The documented information for an audit can take various forms, and it’s important to use a range of tools to capture relevant details. Here are considerations for including physical or digital checklists, audit sampling details, and audiovisual information in the audit documentation:

  1. Physical or Digital Checklists:
    • Comprehensive Checklists: Develop checklists that comprehensively cover the audit criteria, objectives, and scope.
    • Clear Format: Ensure checklists are presented in a clear and organized format to facilitate easy understanding and use.
    • Consistency: Maintain consistency in the application of checklists across audit team members.
  2. Audit Sampling Details:
    • Sampling Rationale: Document the rationale for selecting specific samples for auditing purposes.
    • Sample Size and Methodology: Clearly specify the sample size and the methodology used in selecting samples for testing.
    • Results of Sampling: Record the results obtained from the audit sampling process, including any deviations or observations.
  3. Audiovisual Information:
    • Recording Interviews: Use audiovisual tools to record interviews, meetings, or other interactions relevant to the audit.
    • Visual Evidence: Capture visual evidence through photographs or videos when applicable and necessary.
    • Documentation of Procedures: Document the procedures followed in using audiovisual information, including storage and access protocols.
  4. Data Security:
    • Secure Storage: Implement secure storage mechanisms for both physical and digital documentation, ensuring protection against unauthorized access.
    • Data Encryption: Apply encryption measures for digital information to enhance data security.
    • Access Controls: Implement access controls to restrict access to sensitive audit information.
  5. Consistency Across Formats:
    • Alignment with Standards: Ensure that the use of physical or digital checklists, audit sampling details, and audiovisual information aligns with professional auditing standards.
    • Interoperability: Choose digital formats that allow for interoperability and easy integration with audit management systems.
  6. Review and Approval:
    • Review Process: Establish a review process for all documented information to ensure accuracy and completeness.
    • Approval Protocols: Define protocols for the approval of audit documentation, including signatures or electronic approvals.
  7. Accessibility and Retrieval:
    • Ease of Retrieval: Design the documentation system to facilitate easy retrieval of information when needed.
    • Metadata Inclusion: Include metadata in digital documentation to provide context and facilitate searchability.
  8. Training and Familiarity:
    • Team Training: Ensure that audit team members are trained on the proper use of tools for documenting information.
    • Familiarity with Technology: Familiarize team members with any technological tools used for audiovisual documentation.
  9. Alignment with Audit Objectives:
    • Relevance: Confirm that all documented information aligns directly with the audit objectives and criteria.
    • Avoid Redundancy: Eliminate redundant information and focus on capturing key details.
  10. Legal and Ethical Compliance:
    • Consent for Audiovisual Recording: Obtain consent, when necessary, for audiovisual recordings in compliance with legal and ethical standards.
    • Data Privacy Considerations: Ensure that the collection and storage of audiovisual information comply with data privacy regulations.

By incorporating these considerations, audit teams can enhance the robustness of their documented information, ensuring that it supports the audit process effectively and meets the necessary standards for accuracy, relevance, and legal compliance.

The use of these media should not restrict the extent of audit activities, which can change as a result of information collected during the audit. The use of various media, including physical or digital checklists, audit sampling details, and audiovisual information, should not impede the flexibility and adaptability of the audit process. Here are key considerations to ensure that the use of these media does not restrict the extent of audit activities:

  1. Adaptability to New Information:
    • Ensure that the audit process remains adaptable to changes in scope or activities based on new information that emerges during the audit.
    • Allow for adjustments to the audit plan as necessary to accommodate relevant insights and findings.
  2. Continuous Monitoring:
    • Establish a system for continuous monitoring of information collected during the audit to identify opportunities for additional activities or changes in focus.
    • Regularly reassess the audit plan to ensure it aligns with the evolving understanding of the audited processes.
  3. Real-Time Documentation:
    • Encourage real-time documentation of information, especially through digital tools, to facilitate immediate updates and adjustments to the audit plan.
    • Enable audit team members to capture observations as they occur to inform real-time decision-making.
  4. Flexibility in Sampling Methods:
    • Maintain flexibility in audit sampling methods, allowing for adjustments based on preliminary findings or unexpected patterns identified during the audit.
    • Consider dynamic sampling approaches that can be modified as needed to enhance the audit process.
  5. Responsive Team Collaboration:
    • Foster a culture of collaboration within the audit team where members can openly communicate and suggest changes to activities based on new information.
    • Encourage team members to share insights and observations that may warrant modifications to the audit plan.
  6. Documented Information Updates:
    • Establish protocols for updating documented information in response to changes in audit activities.
    • Clearly communicate any updates to the audit team to ensure a shared understanding of the evolving audit process.
  7. Communication Channels:
    • Maintain effective communication channels within the audit team to facilitate prompt sharing of information that may impact the audit scope.
    • Establish a protocol for reporting significant findings or issues that may require adjustments to audit activities.
  8. Risk-Based Approach:
    • Adopt a risk-based approach to audit planning, allowing for a flexible response to emerging risks and opportunities.
    • Prioritize audit activities based on the potential impact on achieving audit objectives and managing risks.
  9. Review and Approval Process:
    • Implement a streamlined review and approval process for modifications to the audit plan, ensuring that changes can be made efficiently.
    • Include mechanisms for documenting the rationale behind changes to provide a transparent record.
  10. Continuous Improvement:
    • Embrace a continuous improvement mindset, using insights gained during the audit to enhance future audit planning and execution.
    • Conduct post-audit reviews to identify lessons learned and areas for improvement in the audit process.
  11. Legal and Ethical Considerations:
    • Ensure that any changes or adaptations to audit activities comply with legal and ethical standards.
    • Consider the impact of changes on data privacy and confidentiality, and adjust protocols accordingly.

By prioritizing adaptability and continuous monitoring, audit teams can harness the benefits of various media while ensuring that the audit process remains responsive to new information and evolving circumstances. This approach enhances the overall effectiveness and relevance of the audit activities.

Documented information prepared for, and resulting from, the audit should be retained at least until audit completion, or as specified in the audit programme. The retention of documented information generated during the audit is a crucial aspect of audit management. Here are key considerations related to the retention of audit documentation:

  1. Audit Completion Period:
    • Retain documented information at least until the completion of the audit process.
    • Specify the exact duration for retention based on the audit programme or relevant policies.
  2. Legal and Regulatory Requirements:
    • Ensure compliance with any legal or regulatory requirements related to the retention of audit documentation.
    • Familiarize yourself with applicable data protection and privacy laws that may impact the retention period.
  3. Audit Programme Specifications:
    • Adhere to the retention specifications outlined in the audit programme or management system documentation.
    • Document any specific requirements or timelines for retaining audit documentation.
  4. Reference for Follow-Up Audits:
    • Retain documentation to serve as a reference for follow-up audits or future assessments.
    • The historical record can provide insights into past audit findings, actions taken, and improvements achieved.
  5. Lessons Learned and Continuous Improvement:
    • Use retained documentation for lessons learned sessions to improve future audit processes.
    • Analyze past audit records to identify areas for improvement in planning, execution, and reporting.
  6. Evidence of Conformity and Non-Conformity:
    • Retain documentation that serves as evidence of conformity to audit criteria or highlights non-conformities.
    • This information may be necessary for certification purposes or to demonstrate adherence to standards.
  7. Documentation Integrity:
    • Safeguard the integrity of retained documentation to ensure it remains accurate, complete, and unaltered.
    • Implement secure storage measures to protect against unauthorized access or tampering.
  8. Accessibility for Stakeholders:
    • Ensure that relevant stakeholders, including auditees and regulatory bodies, have access to necessary documentation during the retention period.
    • Facilitate transparency and accountability through controlled access to retained information.
  9. Storage Medium and Format:
    • Choose appropriate storage mediums and formats for documented information to ensure longevity.
    • Consider digital storage solutions with proper backup mechanisms to protect against data loss.
  10. Audit Closure Activities:
    • Retain documentation related to audit closure activities, such as the issuance of audit reports and the completion of corrective actions.
    • Maintain a comprehensive record of the entire audit lifecycle.
  11. Communication of Retention Period:
    • Clearly communicate the specified retention period to audit team members and relevant stakeholders.
    • Ensure that everyone involved in the audit process understands their responsibilities regarding documentation retention.
  12. Disposal Protocols:
    • Establish protocols for the secure disposal or deletion of documentation once the retention period expires.
    • Follow data protection and privacy regulations during the disposal process.
  13. Archiving Procedures:
    • Implement systematic archiving procedures to organize and manage retained documentation.
    • Clearly label and catalog documents for ease of retrieval if needed in the future.

By carefully managing the retention of documented information, audit teams can ensure compliance, facilitate continuous improvement, and maintain a reliable historical record of audit activities for future reference.

Documented information created during the audit process involving confidential or proprietary information should be suitably safeguarded at all times by the audit team members. Safeguarding confidential or proprietary information is a critical responsibility for audit team members to maintain trust, uphold ethical standards, and comply with legal and regulatory requirements. Here are key considerations for safeguarding confidential or proprietary information during the audit process:

  1. Awareness and Training:
    • Ensure that all audit team members are aware of the sensitivity of confidential or proprietary information.
    • Provide training on the handling, storage, and transmission of such information to mitigate risks.
  2. Need-to-Know Basis:
    • Limit access to confidential information to only those team members who have a legitimate need to know.
    • Clearly define roles and responsibilities regarding access to and handling of confidential data.
  3. Confidentiality Agreements:
    • Consider implementing confidentiality agreements or non-disclosure agreements with audit team members.
    • Reinforce the importance of adhering to confidentiality requirements throughout the audit process.
  4. Secure Storage:
    • Use secure and encrypted storage systems for storing digital files containing confidential information.
    • Implement physical security measures for safeguarding hard copies of confidential documents.
  5. Access Controls:
    • Implement access controls to restrict unauthorized access to confidential information.
    • Regularly review and update access permissions based on changing roles or project phases.
  6. Password Protection:
    • Use strong password protection for electronic files and systems containing confidential information.
    • Encourage the use of multi-factor authentication to enhance security.
  7. Encrypted Communication:
    • Utilize encrypted communication channels for sharing confidential information within the audit team.
    • Avoid using unsecured or public networks when transmitting sensitive data.
  8. Physical Security:
    • Implement measures to secure physical documents, such as locked cabinets or restricted-access rooms.
    • Monitor and control the movement of physical documents containing confidential information.
  9. Disposal Protocols:
    • Establish secure protocols for the disposal of documents or files that contain confidential information.
    • Shred or securely delete electronic files to prevent unauthorized retrieval.
  10. Secure Work Environments:
    • Ensure that audit team members work in secure environments where confidential discussions are not overheard.
    • Be cautious about discussing sensitive information in public spaces.
  11. Secure Collaboration Tools:
    • Use secure collaboration tools that offer encryption and other security features when sharing information among team members.
    • Verify the security features of any third-party platforms used for communication and document sharing.
  12. Regular Audits and Reviews:
    • Conduct regular audits or reviews to assess compliance with confidentiality protocols.
    • Identify and address any potential vulnerabilities or breaches promptly.
  13. Incident Response Plan:
    • Develop an incident response plan to address any breaches or unauthorized disclosures of confidential information.
    • Clearly communicate the steps to be taken in the event of a security incident.
  14. Legal and Ethical Compliance:
    • Adhere to legal and ethical standards related to the protection of confidential information.
    • Comply with data protection and privacy regulations applicable to the jurisdiction in which the audit is conducted.
  15. Continuous Education:
    • Keep audit team members informed about evolving cybersecurity threats and best practices for safeguarding information.
    • Foster a culture of continuous learning and improvement regarding information security.

By prioritizing the secure handling of confidential or proprietary information, audit teams can maintain the integrity of the audit process and uphold the trust placed in them by auditees and other stakeholders.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply