Running an audit programme

Running an internal audit programme is a mandatory requirement within all management systems that seek to be certified by an external entity. However internal audits provide plenty of information on the conformity of the ISMS and should therefore being conducted even without the objective of certification.

One thing that often leads to confusion even among experienced auditors is the proper distinction between an audit and an audit program. ISO 27000 defines an audit as?

“ a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are met."

Audits are conducted by audit teams, which consist of auditors and subject matter experts with a profound knowledge and experience in their field.?

An audit program is?

?"a set of one or more?audits?planned for a specific time frame and directed towards a specific purpose."

In other words an audit programme encompasses all the audits that are necessary to achieve a defined purpose with given restrictions like time or budget.

ISO 19011 provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits. With special regards to individual(s) managing the audit programme, auditors and audit teams. The following graph displays the process of managing an audit programme according to the standard PDCA cycle. Note how an audit programme can consist of multiple audits as depicted in step 5.5.