ISO 19011:2018 Clause 6.3 Preparing audit activities

ISO 19011:2018 10 Minutes


6.3.1 Performing review of documented information

The relevant management system documented information of the auditee should be reviewed in order to:
— gather information to understand the auditee’s operations and to prepare audit activities and applicable audit work documents , e.g. on processes, functions;
— establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas of concern, such as deficiencies, omissions or conflicts.
The documented information should include, but not be limited to: management system documents and records, as well as previous audit reports. The review should take into account the context of the auditee’s organization, including its size, nature and complexity, and its related risks and opportunities.
It should also take into account the audit scope, criteria and objectives.

The relevant management system documented information of the auditee should be reviewed in order to gather information to understand the auditee’s operations and to prepare audit activities and applicable audit work documents , e.g. on processes, functions. Reviewing relevant management system documented information is a crucial step in the audit planning process. This documentation provides essential insights into the auditee’s operations, processes, functions, and overall management system. Here are key considerations when reviewing the auditee’s documented information:

  1. Understanding the Management System:,Review the auditee’s quality management system documentation, including policies, procedures, manuals, and any other documented information that outlines the structure and requirements of their management system.
  2. Scope and Boundaries: Identify and understand the scope and boundaries of the auditee’s management system. This includes the products, services, and processes covered by the system.
  3. Organizational Structure: Examine the organizational structure and responsibilities documented by the auditee. This includes roles, authorities, and reporting relationships relevant to the management system.
  4. Processes and Procedures: Analyze documented processes and procedures to gain insights into how the auditee plans, executes, and controls its key activities.
  5. Documented Objectives and Targets: Identify documented objectives, targets, and performance indicators that the auditee has established to measure the effectiveness of its management system.
  6. Risk Management: Review any documented information related to risk management, including risk assessments, mitigation strategies, and contingency plans.
  7. Legal and Regulatory Compliance: Verify that the auditee’s management system documentation includes information on how the organization ensures compliance with relevant legal and regulatory requirements.
  8. Monitoring and Measurement: Examine documented information related to monitoring and measurement activities. This includes how the auditee evaluates performance, collects data, and ensures the effectiveness of its processes.
  9. Documentation Control: Assess how the auditee controls the creation, approval, distribution, and revision of documented information. Ensure that the documentation control processes are effective.
  10. Recordkeeping: Examine the auditee’s record-keeping practices, including how records are created, maintained, and retained.
  11. Continuous Improvement: Evaluate how the auditee documents and tracks continuous improvement initiatives, corrective actions, and preventive actions within its management system.
  12. Communication Processes: Understand how the auditee documents and manages internal and external communication processes related to the management system.
  13. Training and Competence: Review documented information related to training and competence, including procedures for ensuring that personnel are competent to perform their tasks.
  14. Documented Information Accessibility: Confirm that the audit team has access to the relevant documented information needed for planning and conducting the audit.
  15. Alignment with Standards: Verify that the auditee’s documented information aligns with the relevant standards, frameworks, or specifications that the organization adheres to.
  16. Pay attention to documented procedures related to core processes and critical functions.
  17. Verify that records provide evidence of conformity to requirements and the effective operation of the management system.

By thoroughly reviewing the auditee’s documented information, the audit team gains a comprehensive understanding of the management system, allowing for effective planning and the development of applicable audit work documents. This ensures that the audit activities are aligned with the organization’s processes and objectives, facilitating a thorough and meaningful audit process.

The relevant management system documented information of the auditee should be reviewed in order to establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas of concern, such as deficiencies, omissions or conflicts. Reviewing the relevant management system documented information is a critical step in assessing the conformity of the auditee’s system to audit criteria. This process helps establish an overview of the extent and effectiveness of the documented information, and it aids in identifying any potential areas of concern. Here’s how this review process can be approached:

  1. Extent of Documented Information:
    • Assess the comprehensiveness of the documented information within the auditee’s management system.
    • Identify the types of documents, such as policies, procedures, manuals, and records, that are part of the documented information.
  2. Alignment with Audit Criteria:
    • Verify that the documented information aligns with the relevant audit criteria, including standards, regulations, and organizational requirements.
    • Ensure that the documented information adequately reflects the expectations outlined in the audit criteria.
  3. Conformity Assessment:
    • Evaluate the content of the documented information to determine the extent of conformity with established audit criteria.
    • Identify areas where the auditee demonstrates compliance and those that may require further scrutiny.
  4. Detection of Deficiencies:
    • Look for deficiencies, gaps, or inadequacies in the documented information that may indicate non-conformity with the audit criteria.
    • Pay attention to inconsistencies, inaccuracies, or outdated information that may pose challenges during the audit.
  5. Identification of Omissions:
    • Identify any areas where the documented information is incomplete or where key elements are missing.
    • Consider whether the absence of certain information may impact the auditee’s ability to meet the audit criteria.
  6. Detection of Conflicts:
    • Check for conflicts or contradictions within the documented information. This includes inconsistencies between different documents or conflicting requirements within a single document.
    • Document any conflicts that may need clarification during the audit.
  7. Assessment of Effectiveness:
    • Assess the effectiveness of the documented information in guiding and supporting the auditee’s management system.
    • Consider whether the information is practical, accessible, and contributes to the achievement of organizational objectives.
  8. Compliance with Legal and Regulatory Requirements:
    • Verify that the auditee’s documented information reflects compliance with applicable legal and regulatory requirements.
    • Identify any gaps or potential areas of non-compliance.
  9. Integration of Processes:
    • Evaluate how well the documented information integrates various processes within the organization.
    • Assess the clarity of connections between different elements of the management system.
  10. Communication of Responsibilities:
    • Review how responsibilities are communicated within the documented information, ensuring clarity regarding roles, authorities, and accountabilities.
  11. Accessibility of Documented Information:
    • Confirm that the documented information is accessible to relevant personnel and audit team members.
    • Ensure that there are effective document control measures in place.
  12. Documentation Review Record:
    • Maintain a record of the documented information reviewed, including findings, concerns, and areas of conformity.
    • Use this record as a reference during the audit planning and execution stages.

By conducting a thorough review of the auditee’s documented information, the audit team gains valuable insights into the effectiveness and conformity of the management system. This proactive approach sets the foundation for a focused and informed audit process, allowing the team to address concerns and potential non-conformities efficiently.

The documented information should include, but not be limited to: management system documents and records, as well as previous audit reports. The documented information that should be reviewed as part of the audit preparation includes a variety of elements, such as management system documents, records, and previous audit reports. Each type of documented information serves a specific purpose in evaluating the effectiveness and conformity of the auditee’s management system. Here’s a breakdown of each:

  1. Management System Documents:
    • Policies: These articulate the organization’s intentions and direction related to its management system. Policies provide a framework for decision-making and actions.
    • Procedures: Documented steps or instructions for performing key processes within the organization. Procedures provide a systematic approach to carrying out activities.
    • Manuals: Comprehensive documents that provide an overview of the entire management system, detailing how various elements are integrated and managed.
  2. Records:
    • Evidence of Activities: Records serve as evidence of activities conducted within the organization. This may include meeting minutes, training records, and other documented evidence of completed tasks.
    • Monitoring and Measurement Records: Documents that demonstrate how the organization monitors and measures its performance, such as quality control records or production logs.
    • Corrective and Preventive Action Records: Documentation related to corrective actions taken to address non-conformities or preventive actions to avoid potential issues.
  3. Previous Audit Reports:
    • Audit Findings: Reports from previous audits, detailing the findings, conclusions, and recommendations made by the audit team. These reports offer insights into the organization’s past performance and areas for improvement.
    • Corrective Action Plans: If applicable, review records of corrective actions taken by the auditee in response to previous audit findings. This helps assess the organization’s commitment to continuous improvement.
    • Follow-up Actions: If follow-up audits have been conducted, review the results of those audits to assess whether the auditee has effectively addressed previously identified issues.

Reviewing these types of documented information is essential for the audit team to gain a comprehensive understanding of the auditee’s management system, historical performance, and commitment to improvement. It allows the audit team to tailor their approach, focus on areas of significance, and ensure that the audit is both thorough and meaningful. Additionally, the review of previous audit reports provides context for the organization’s progress and the effectiveness of its corrective actions over time.

The review should take into account the context of the auditee’s organization, including its size, nature and complexity, and its related risks and opportunities. Considering the context of the auditee’s organization is a fundamental aspect of audit planning and review. The context encompasses various factors that influence the organization’s management system, and taking these into account is crucial for conducting a meaningful and effective audit. Here’s how the context should be considered during the review:

  1. Organization Size:
    • Review: Understand the size of the auditee’s organization. Larger organizations may have more complex management systems, while smaller ones might have simpler structures.
    • Consideration: Tailor the audit approach to match the size and scale of the organization. Adjust the depth and breadth of the audit activities accordingly.
  2. Nature of the Organization:
    • Review: Examine the nature of the auditee’s business, including its industry, sector, and core activities.
    • Consideration: Recognize that different industries and sectors may have unique requirements and standards. Align audit criteria with the specific nature of the organization.
  3. Complexity of Operations:
    • Review: Assess the complexity of the auditee’s operations, considering the diversity of products, services, and processes.
    • Consideration: Adjust the audit focus based on the complexity of operations. Complex processes may require more in-depth scrutiny during the audit.
  4. Related Risks and Opportunities:
    • Review: Identify and review the risks and opportunities that are relevant to the auditee’s operations and management system.
    • Consideration: Align audit activities with the identified risks and opportunities. Focus on areas where risks are high or where opportunities for improvement exist.
  5. Regulatory Environment:
    • Review: Understand the regulatory environment in which the auditee operates, including applicable laws, standards, and industry regulations.
    • Consideration: Ensure that the audit criteria and focus are aligned with relevant regulatory requirements. Assess the auditee’s compliance with applicable laws and regulations.
  6. Cultural and Organizational Factors:
    • Review: Consider the cultural and organizational factors that influence the auditee’s management system. This includes organizational culture, values, and leadership style.
    • Consideration: Tailor the audit approach to align with the organizational culture. Consider how cultural factors may impact the effectiveness of the management system.
  7. Strategic Objectives:
    • Review: Review the auditee’s strategic objectives and goals to understand the overarching priorities of the organization.
    • Consideration: Align the audit activities with the organization’s strategic objectives. Assess how well the management system supports the achievement of these objectives.
  8. Stakeholder Expectations:
    • Review: Identify key stakeholders and their expectations regarding the auditee’s performance and management system.
    • Consideration: Consider stakeholder expectations when assessing the effectiveness of the management system. Address any areas that may impact stakeholder satisfaction or confidence.
  9. Organizational Structure and Resources:
    • Review: Examine the organizational structure and available resources, including personnel, technology, and facilities.
    • Consideration: Assess whether the organization’s structure and resources adequately support the management system. Identify any resource constraints that may impact system effectiveness.

By integrating an understanding of the context into the audit planning and review process, the audit team can conduct a more targeted and relevant assessment. This approach ensures that the audit activities are aligned with the specific characteristics, risks, and opportunities of the auditee’s organization, ultimately leading to a more valuable and impactful audit process.

It should also take into account the audit scope, criteria and objectives. Considering the audit scope, criteria, and objectives is essential during the audit planning and review process. These elements provide the framework for the audit and guide the focus of the audit activities. Here’s how each component contributes to the review process:

  1. Audit Scope:
    • Review: Understand the defined audit scope, which outlines the boundaries and extent of the audit activities.
    • Consideration: Ensure that the review of the auditee’s documented information aligns with the specified scope. Focus on areas within the organization that are relevant to the audit objectives.
  2. Audit Criteria:
    • Review: Examine the audit criteria, which serve as the standards or benchmarks against which the auditee’s management system will be assessed.
    • Consideration: Align the review of documented information with the selected audit criteria. Verify that the auditee’s processes and activities adhere to the established standards.
  3. Audit Objectives:
    • Review: Understand the specific audit objectives, which articulate the intended outcomes or goals of the audit.
    • Consideration: Ensure that the review of documented information is directly tied to the audit objectives. Focus on gathering information that is relevant to achieving the stated audit goals.
  4. Alignment with Criteria:
    • Review: Verify that the audit criteria are clearly communicated and documented. This may include industry standards, regulatory requirements, or internal organizational standards.
    • Consideration: Align the review process with the identified audit criteria. Evaluate the auditee’s documented information against these criteria to determine conformity.
  5. Completeness of Documentation:
    • Review: Assess whether the auditee’s documented information is complete and comprehensive within the defined audit scope.
    • Consideration: Ensure that the review covers all relevant aspects outlined in the audit criteria. Identify any gaps in documentation that may affect the audit’s thoroughness.
  6. Focus on Objectives:
    • Review: Examine whether the documented information provides insights into the auditee’s adherence to the defined audit objectives.
    • Consideration: Focus the review on areas that directly contribute to achieving the audit objectives. Avoid tangential or unnecessary information that does not align with the goals of the audit.
  7. Risk-Based Approach:
    • Review: Apply a risk-based approach to the review process, considering the significance of different processes and areas within the audit scope.
    • Consideration: Prioritize the review of documented information based on the potential impact on achieving audit objectives and adherence to audit criteria.
  8. Adaptability to Changes in Scope:
    • Review: Assess whether the audit plan and review process are adaptable to changes in the audit scope if necessary.
    • Consideration: Anticipate the need for adjustments in the review process, especially if there are changes in the organization’s context, objectives, or other factors that impact the audit scope.
  9. Documentation for Reporting:
    • Review: Evaluate the adequacy of documented information for reporting purposes, ensuring that findings and conclusions can be supported.
    • Consideration: Review the documentation with a focus on its relevance to reporting on the audit results. Ensure that the documented information facilitates clear communication of audit findings.

By integrating the audit scope, criteria, and objectives into the review process, the audit team ensures that the assessment is focused, relevant, and directly aligned with the goals of the audit. This approach enhances the efficiency and effectiveness of the audit review, leading to more meaningful results and insights.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply