Services | Risk Management Training | Quality Management Training

Audit Program

The organization must maintain a documented program for conducting audits (internal and external).

An audit program is a series of steps or specifications required by the organization in order to be able to conduct the audit.

The goal of the program is to identify the required organizational elements that will be audited and determine when they will be audited.

The program has several objectives:

• The audit program will ensure that the audits are conducted as planned.

• Through publication of the program, employees and personnel will understand that the internal audit is a continuous measure of the QMS and not a capricious decision made by the top management.

• The audit program shall introduce the auditor with the scope and objectives of the audit (fields, subjects, departments, locations, sites, products, areas, roles, processes, or the specific status of processes).

• The program shall specify the authorities and responsible parties that will participate in the audit (the auditor or audit team, employees, specific roles, management representatives, technical experts, etc.).

• The program shall detail the resources required for the audit (meeting rooms, personnel, records, products, production lines, etc.).

• The program shall give a description of the agenda or topics and issues that will be audited and discussed.

• The program shall indicate scheduled time frames for the different audit stages.

It is recommended that you publish and communicate the audit program.

The program can appear as a list or a procedure.

The following is a suggestion of an audit program:

Example of an audit program

Time and date for part 1 of the audit:

• 8:00–12:00 12/2021


• Assembly

Topics to be reviewed:

• Accomplishment of work instructions

• Accomplishment of cleanliness instructions

• Performance of trainings

• Nonconformities


• All work instructions are to be available

• All required records are to be available


• Audit plan

Time and date for part 2 of the audit:

• 13:00–17:00 12/2021


• Warehouse

Topics to be reviewed:

• Accomplishment of work instructions

• Accomplishment of cleanliness instructions

• Performance of trainings



• All warehouse employees are to attend the audit


• Audit plan

Some organizations also include detailed tests, investigations, or examinations that are conducted during the audit.

The program must be documented and will be submitted to the controls suggested in clause 7.5—Documented information.

Audit Scope

The first step in implanting effectively the internal audit is to define the scope of the audit.

The audit scope defines the extent and the boundaries of the internal audit: the areas and limits to which the audit is applicable and which the audit must control.

The scope shall cover the following issues:

• The purpose of the audits (e.g., compatibility to the ISO 9001 Standard requirements).

• Physical locations (like branches or affiliations).

• Different organizational units like divisions or departments.

• The relevant or related activities and processes to be audited.

• The time period to which the audit results are valid and after this period a new audit shall be conducted (a year, a quarter, a month).

• Additional standards or regulatory and contractual requirements that may serve as audit criteria.

• The expected records.

This scope will be managed and implemented through the audit program and plan (which will be discussed later on in this chapter).

Audit Plan

The audit shall include and specify the activities necessary for organizing and conducting the audit and describe the required resources for the audit. For this purpose you may define and use an audit plan.

By audit plan I mean a specification (may appear on a document) that describes all the tests and examinations that must be performed during an audit and needed to be done in order to evaluate the extent of meeting

The plan will direct the auditor during the audit.

The objective of the plan is to ensure that all aspects of the scope are covered and to allow auditees to prepare and organize for the audit.

While auditing the QMS, you are required to evaluate it through three distinct aspects :

• Implementing all the relevant ISO 9001 Standard requirements

• Achieving the organization’s requirements for its QMS: quality plans, processes and procedures, and maintenance of records

• Extent of effectiveness of implementing the QMS: achieving quality objectives, customer satisfaction, and improving the QMS

The audit plan should include reference to the following issues:

• The audit scope

• Locations where the audit activities are to be conducted

• The audit topics

• Time schedules

• Information for the opening of the audit

• Changes in the QMS that must be mentioned before the audit begins

• Results of the last audit

• Open nonconformities

• Required resources

• The audit criteria and reference to relevant documents

• The auditor or the audit team

• Roles and responsibilities of the auditee

• Other required accompanying persons

• The audit tests, inspections, and examinations

You may manage a general plan that will refer to all the organizational units and will ask to evaluate performance of procedures and work instructions, evaluate quality procedures, and sample evidences of executing those processes.

Such a plan will be applicable to the entire organization. But I recommend adopting a more specific plan
designed to audit one specific organizational unit and is therefore not applicable to other units.

Such a plan will refer to specific processes related to this unit, will consider the interrelations of this unit with other organizational units, will present with the appropriate criteria for evaluation, will examine specifically the quality requirements of this unit, and will ask to review documented information related to its processes.

This plan is more effective; for example, if the auditor is auditing a warehouse, a specific plan will direct them to the appropriate processes and activities, support them with the right criteria, and describe to them which records must they sample.

Defining Planned Intervals for Internal Audits

The audits will be planned and conducted at planned intervals. The intervals shall be documented on the audit program.

The goals of planning ahead are

• To allow the different units of the organization time to prepare for the audit

• To maintain a periodical plan for internal audits (usually an annual plan)

• To ensure the continuity of the audit

In practice, you may define appointments for the audit on the organizational calendar.

The ISO 9001 Standard does not require specific dates but it is more practical.

If you would like to perform “unexpected” audits, then define them on the program but do not publish them.

Conformance of QMS to the Organization’s Requirements

The organization has determined its own requirement of the QMS while designing and developing it.

The internal audit is one instrument for self-review of whether those requirements are achieved.

Which type of requirements?

• Quality plans for the product:

Any requirement for product realization must be evaluated on whether it was performed as planned. The best way is to sample and evaluate a product against its relevant predefined criteria.

Sample a product or an output of a process, review its quality plan, detect its specifications, and check whether the product was realized according to the plan. Document the results.

• The identification and implementation of international, national, or local regulations will be evaluated.

The audit shall examine the identification of appropriate regulations, their introduction to the quality processes (such as management review, or integration in the training program), implementation throughout the realization processes, and maintenance of the appropriate records.

• Processes and procedures:

The audit must evaluate whether the realization processes are performed as required. It could be correlated with the quality plans.

The evaluation would refer to required results or predefined criteria.

Generally speaking, an audit must sample the processes and outputs and evaluate two things:

• Whether the process is managed as planned: according to its definition (process chart, diagram, SOP, etc.)

• Whether the process achieves its objectives: if the parameters of the process are valid and the outputs are as expected

Conformance of QMS to the ISO 9001 Standard Requirements

Aside from the organization’s requirements, the audit shall evaluate the implementation of the ISO 9001 Standard requirements.

The implementation of the ISO 9001 Standard requirements for quality processes includes, for example,

• The specific documentation requirements

• Addressing risks and opportunities

• Implementing the required purchase controls

This part of the audit must be conducted throughout the entire organizational units related to product realization, or are under the scope of the QMS.

For each organizational unit, it is required to audit how much quality management tools are implemented, for example, management of resources, knowledge and competence, maintenance of quality documented information, or management of nonconformities.

Effectiveness of the Implementation and Maintenance of the QMS

The audit must provide the ability to evaluate whether the QMS is effective or not.

The effectiveness of the QMS refers to the extent to which objectives of processes were achieved and may indicate how much the QMS has improved.

This will be reviewed through two aspects of the QMS:

• Quality objectives:

The audit must indicate whether the organization has achieved its quality objectives.

During the audit the relevant quality objectives will be reviewed for their relevance to the process and how they are measured and to what extent they were achieved (the results of the measurement).

When it is found that an objective has not been reached, the cause must be presented and the measure
taken to handle it.

• Improvement of the QMS:

The audit must indicate whether measures and actions were undertaken in order to improve the QMS and whether those actions were effective – the improvement was achieved.

Audit Criteria

In order to conduct effective tests or inspections, you need to assign and document criteria to each test.

Criteria are set of policies, procedures, or requirements used as a reference against which audit evidence is compared.

The objectives of the criteria are :

• To support decisions for judging, evaluating, and determining by facts, values, and data the compliance of the outputs to the requirements; the auditor samples a process or process output, views it, turns to the criteria, and decides whether the process was effective or not

• To enable the determination of the extent of conformity of processes or process outputs

The audit plan shall refer each test to its appropriate criteria.

The criteria may be quantitative such as tolerances and limits of processes, number of training per year, and number of accepted nonconformities or qualitative such as estimations of knowledge and skills.

One important property of the criteria is the ability to evaluate audit findings against it.

In other words, the criteria must be adjusted to the type of findings; if you are auditing the processes of certifying new personnel, the criteria should be a procedure or a checklist that describes which activities must be accomplished when accepting a new worker.

The criteria will provide a successful validation by indicating whether the findings are accepted or rejected.

The criteria will present a method for the evaluation and will refer not only to products, parts, or components but also to realization processes and conditions for realization.

Types of criteria include

• Policies

• Working instructions, test instructions, and procedures

• Drawing and specifications

• Management system requirements

• Quality plans

• Standards and technical specifications

• Laws, regulations, and directives

• Documented customer requirements like orders or contractual requirements

• Industry or business sector codes of conduct