For a simple little document, it’s hard to believe the amount of confusion an “audit plan” causes, and the amount of time that is spent by people in a role (similar to mine, at SQMC) who train auditors, to explain the who/what/how/where/when of audit plans!
Firstly, there is the confusion that comes by mixing up audit plans and audit programmes or audit schedules; so let's lay that to rest right away.
An audit programme or schedule is a “set of one or more audits planned for a specific time frame and directed towards a specific purpose”. So, it’s a timetable of the audits to be carried out, usually over 12 months but can be longer or shorter.
An audit plan, however, is a “description of the activities and arrangements for an audit”. And since we are providing all the definitions we need here (courtesy of ISO 9000:2015 – Quality Management Systems – Fundamentals and Vocabulary*) let’s just add in the official definition of "audit", which is a “systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.
So, the audit plan is a tool used by the auditor to ensure that appropriate attention is devoted to important areas, potential problems are promptly identified, work is completed expeditiously, and work is properly coordinated. Audit planning means developing a general strategy and a detailed approach for the expected nature, timing, and extent of the audit. The auditor plans to perform the audit in an efficient and timely manner, and putting the plan together also allows the auditor to make a judgement about the feasibility of the audit.
Audit planning means developing a general strategy and a detailed approach for the expected nature, timing, and extent of the audit.
On working out the time that the audit will take, the auditor must be sure he/she can collect sufficient, valid, reliable, verifiable evidence to make a reasoned judgement in accordance with the audit objective (most commonly on the degree of conformity with audit criteria).
An audit plan will identify any risks to achieving the audit objective, and the auditor has the option to reduce the scope and/or the amount of criteria he/she is auditing against if he/she needs to because of risk or feasibility issues.
So here are the 7 key factors a normal audit plan will include or reference, as a minimum:-
- Audit objective, scope, and criteria.
- Clear identification of the organisation, functional area, department, as well as processes to be audited.
- Any pertinent reference documents.
- Locations, dates, anticipated times, and duration of audit activities (interviewing, observation, and evaluation of documented information).
- Requirements for the auditor or audit team members to be inducted into the auditee’s facilities and processes, (perhaps involving a tour), and a review of information provided by the auditee.
- Information on sampling.
- Resources, both those to be deployed by the auditor and those provided by the auditee to allow for a successful audit.
*NB Sign up for an SQMC ISO 9001 Internal Auditor or Lead Auditor course and receive a free, licensed copy of ISO's Fundamentals and Vocabulary; worth £230 if purchased from the British Standards Institute!
Photography: Brett Jordan