According to ISO 19011 the audit scope is the extent and boundaries of an audit.
The audit scope normally includes a description of the physical locations, organi-zational units, activities and processes, and the time period covered.
The audit scope indicates or fixes a limit or extent of the audit. The scope has been described as the breadth of the audit and may specify areas not to be included in the audit.
The scope or criteria of an audit can include:
• Physical locations
• Departments, areas, or units
• Products, processes, or systems
• Areas excluded from the audit
• Timeline for audit activities or events
• Relevant system and process policies, procedures, instructions, and plans
• Applicable standards, contracts, regulations, codes, and other legal documents
The following list provides examples of audit scope. The scope of the audit includes:
• Processes performed in the raw material storage, fermentation and purification suites, bulk filling area, final product storage, and the product testing laboratory.
• Policies and procedures for IT security for financial computer systems.
Quality- related computer systems will not be addressed during this audit.
• The confined space entry and lockout/tagout safety systems for process vessels.
• Controls in place at supplier XXX Container Company for the manufacture, testing, and release of bottles and caps during the past two years.
Part Ib
If the scope or audit criteria must be changed before or during the audit, the audit participants should be informed of the change and it should be documented in the audit plan.
If two or more management systems of different areas or disciplines (e.g., qual-ity, safety, environmental) are audited together (a combined or integrated audit), it is important that the audit objectives, scope, and criteria be compatible with the objectives of the relevant audit programs.
2. beNeFITs oF aUdITs
The benefits of an audit are numerous. Audits can verify ongoing conformance to requirements and promote improvement of the organization’s effectiveness and efficiency. Management can utilize the objective data to make informed decisions regarding the achievement of organization objectives.
Auditing benefits include:
• Verification of conformance to requirements such as a management system, regulatory and contractual
• Identification of risks and monitoring of risk treatments
• Identification of opportunities for improvement
• Verification that projects were implemented according to plan
• Determination of readiness of new products and processes
• Verification of system effectiveness
• Identification of inefficiencies and ineffective controls
• Verification of corrective actions and their effectiveness
• Identification and reporting of best practices
• Advancing the achievement of organization objectives
Auditors have a broad perspective of an organization and analyze evidence reported to management. Management can use this information to evaluate the organization and implement measures necessary to meet its objectives.
A new auditor received lots of complimentary feedback from an audi-tee who was very close to the process he managed. A staff auditor had coached the new internal system auditor to ask reporter- type ques-tions, explaining that the “why” question was not philosophical. The answer to “why” gives the reason or driver for an activity. After the audit, the manager said that he had learned more from attempting to answer and document the driver for the activity than from any previ-ous audit experience. It reinforced the actions needed for an activity and surfaced unnecessary actions.
P art Ib
Management review should consider recurring nonconformities (for example, at a particular location or with a particular procedure) as possible evidence that the plans and procedures should be changed. Even more useful is a management review of potential inefficiencies.
When audit results are being viewed as added system information, audit-ing starts to provide the information needed for the “Check” step in the Dem-ing (also known as “Shewhart”) Plan- Do-Check-Act (PDCA; also known as the PDSA: Plan- Do-Study-Act) cycle. With the kind of information that process and system audits provide, management is better prepared to move forward with more- informed decisions. Elevation of nonconformity resolution to the PDCA par-adigm requires the use of more contemporary tools for problem solving, improve-ment, and overall management. The universe of opportunities expands as new knowledge and theories are developed. System and process auditing can provide this new knowledge, if understood and properly applied.
Part IC
dIsCUssIoN
Audit criteria is a universal term that describes the reference used by an audi-tor against which the evidence collected during the audit can be compared. The ISO 19011, clause 3.2 states that audit criteria are a set of policies, procedures, or requirements used as a reference against which audit evidence is compared. The ISO 9000 vocabulary standard explains that requirements may be generated by various stakeholders or interested parties. Requirements may be specified or they may be generally implied, such as customs or common practice. This definition recognizes that not all requirements can be specified. For example, we expect new products to arrive clean, services to be performed in a timely manner, reports to be legible, and service persons to practice good hygiene, even though such require-ments may not be specified in a document, contract, or standard.
The audit criteria may be referred to as system or process requirements, rules that the auditee follows, or a specific named standard or regulation. The audit principle is that auditors audit against criteria, a set of rules or specified controls, and not their own opinion of what the auditee should be doing. The evidence collected, which is used as a basis for findings and the audit report, should be relevant to the audit criteria.
Assigned auditors must be knowledgeable of the audit criteria, document, or standard that the organization is being evaluated against. Auditors must be com-petent, and part of that competency is knowledge of the audit criteria and their interpretations.