Information - Protocol Specifics

The advent of ISO/IEC 17021 2015 vacates reference to ISO 19011 [generic Guidelines for  Management System Auditing] lead to auditing changes [we must reiterate that ISO 19011 is a guideline and now generic in nature (not a requirement for internal Management System auditing), a requirements for registrars and certification bodies]:

The term audit phases has been replaced with activities. In addition, the term "documentation review" is seen as a mutually exclusive activity - here at BULLTEK LTD still refers to Adequacy Audit or part of Phase I. ISO 19011 lists auditing completion tasks. Thereof, listing within auditor courses the following protocol is advised:

1. Initiation (define audit objectives)
2. Reviewing (implies examining the management system documents)
3. Preparation (planning for on-site auditing activities)
4. Execution / Realization (auditing the management system)
5. Reporting (reporting the results of the audit)
6. Completion (completion of the audit plan)
7. Follow-up (conducting follow-up auditing, when and if required)

Thereof, a synopsis of the the key auditing activities are noted as follows:

Initiation of the Audit

  • Identify and define the purpose of the audit;
  • Designate an audit team;
  • Defining the objectives, scope, and criteria for the audit;
  • Determining the feasibility of the audit;
  • As requires, select the audit team; and
  • Establishing the initial contact with the auditee, as deemed necessary (considering 1st, 2nd or 3rd Party Auditing).

Documentation Review

  • Reviewing the management system documentation prior to on-site auditing (including each relevant document and record) - Could review documentation in a preliminary site visit;
  • Determining conformity as integral part of the audit criteria (or objective);
  • The on-site audit may be deferred if needed;
  • Reporting of documentation findings whether concerns or non-conforming;
  • Proceed with the on-site audit if not deterrent due to the findings at documentation.

Preparing for the On-Site Audit

  • Prepare an audit plan, a basis for agreement, and submitted to the auditee;
  • The audit plan provides the basis for scheduling and coordinating the on-site audit;
  • Any planning must be kept flexible thus permitting changes during the audit itself;
  • Assign activity work to the audit team members;
  • Prepare for the auditing work documents: including checklists, check sheets, forms, and related;
  • Confirm the on-site audit  logistics and needed arrangements.

Conducting the Audit

  • Conduct an opening meeting;
  • Ongoing communication during the audit;
  • As needed, discuss the role of the guides and observers;
  • Commence the interviewing process on personnel performing work activities;
  • Gather data and information;
  • Proceed to verify the information;
  • The audit team prepares and agree on the audit conclusions; and
  • Complete a closing meeting.

Reporting Audit Results

  • The audit team prepares the audit report, in 2nd and 3rd Party auditing the term "Lead Auditor" comes into effect as applies to third party auditing;
  • The report is as accurate, precise and concise record of the audit;
  • Date, review, and approve the audit as dictated by procedure;
  • The audit report is issued within the agreed arrangements (closing meeting) or otherwise procedure; and
  • The report must be distributed to the audit or otherwise client-designees.

Completing the Audit
An audit is "complete" when:

  • The activities stipulated within the audit plan have been completed;
  • The audit report has been approved and distributed;
  • Records have been kept or otherwise destroyed per agreement; and
  • Non conformances have been effectively corrected (as the audit is not considered "closed" until verification of the effectiveness of the action taken, when corrective action has been requested). 

When conducting Follow-up...

  • If there is a corrective action request (a nonconformity), conclusions implies actions must be taken by the auditee;
  • Corrective action(s) need be taken within an agreed time frame;
  • Whilst, such actions are outside the audit time frame planning / plan indeed the audit stays open until effective action has been taken;
  • The auditee may inform the audit team action and when has it been taken (per agreement);
  • The effectiveness of the  action taken must be verified; thus
  • This verification can be part of the planning of a subsequent audit unless otherwise determined that the action must be verified prior to closing a request for action / non conformance.




Audit and auditing, some thoughts…

In the activity of auditing, the information obtained must assist the audit team to identify whether the implementation of a managerial system meets any of the internationally recognized and generally accepted (IRGA) benchmarks such as ISO 9001 (or variants). During the realization of this activity, concurrence between said and done requires examination, evaluation, investigation and reporting. And that the resulting programs or system meets the requirements under which the organization ascribes.


Obtaining objective evidence requires auditing skills, techniques and knowledge on the activity to be audit. The old adagio "plan twice and realize once" goes far for auditing. A checklist / check sheet is an opportunity to "view" the activities to audit and textually outline the strategy to follow. However, we ought not to fall prey to conformity checking. Once the strategy is planned through knowingly what information to obtain (on the basis of established criteria), other questions will rise as the audit progresses.


Obtaining information is through techniques that allow the auditee to provide information and assisting the audit team in concluding the level of system implementation effectiveness. As humans we have two ears and one mouth, use these accordingly. During this process ascertain that the interviewee from whom gathering information is the correct responder. There may be no value in obtaining information from the incorrect source.


Clarification and confirmation is a technique that applies to assisting in ascertaining that the communication with interviewees is effective. The use of open and close questions assist in achieving audit objectives. Close-questions are best apply when a specific piece of information needs confirming. Open questions are those leading to a conversation, and allow the interviewee(s) to convey information about the audit team inquiry, thus audit objectives. It is important for the auditee / interviewee to know what's being valued, and that this value is the effectiveness of the management system and not their specific performance.


Be "straight forward" with interviewee / auditee and ask one question at a time - this is not a military type interrogation...


Careful playing psychologist, misreading a sign or body language could affect in the objective of the audit and confuse the interviewee. Much to often we encounter train auditors that were taught to read this or that signal, experience and time has taught that techniques within the field of psychology is best left within the realm of the  latter.


A Note on Note Writing


The interviewee / auditee must understand that note taking does not construed wrong or right but just gathering information to arrive to conclusions. Needless to say do not take notes continuously, this impedes the interviewee to maintain a fluent conversation. This is why understanding that what's being examining is the management system, practices and methods and not the performance of individuals. Thus to realize and transmit that this is true, second though must be given to writing names of individuals when writing the report.


    Note on notes - Notes shall contain information assisting to conclude objectively and have the ability for other competent audit teams to arrive to the same conclusion.  Thus, information obtained shall be traceable.


The auditee must feel comfortable, and yourself have informed, that the audit outcome they will be first to know. If your interview leads to follow a trail, when feasible, inform the interviewee.


Also remember that the audit team records for future audits, source of information.


Closure and Follow-up


The audit report is to contain relevant information to the objective of the audit. The audit report, most likely a predetermined form, will contain and answer:


  • Scope of the audit
  • Audited activities / processes
  • Dates and include specifics of shift


Include information that will assist auditee and follow-up audit team to achieve audit objective

The information shall briefly express information on findings; observation; and nonconformity, if found

Conveys the information quickly and instigate taking action

As requires by third party auditing, classify any nonconformity 


A final word on relating nonconformity to requirement, when identify a nonconformity convey the necessary information for the auditee to take action leading from the possible cause (of the nonconformity itself). This last may be a difficult tasks of an effective and competent audit team.


The information herein noted applies equally to management systems, such as:

  • ISO 9001
  • ISO/IEC 17025
  • ISO/IEC 27001
  • ISO 22000
  • ISO/IEC 17024
  • ISO 13485
  • AS9100
  • TL 9000
  • TS 16949
  • And other management systems



Some Thoughts in AuditingBack to Home Portal...