Auditing Activities for Defining Objectives, Scope, and Criteria

by J. P. Russell

This column will be devoted to a quick review of ISO 19011 topics. In each edition of The Auditor, I’ll discuss a different topic and follow that with a quiz so readers may evaluate their understanding of the information. Readers are encouraged to share this column during short informal meetings with other auditors or interested parties which I believe will result in more effective audits.

The auditing activities clause is a major one of ISO 19011.  The auditing activities can also be called process steps or actions.  The auditing activities are the step-by-step methods for preparing, performing, reporting, and following up on the audit.  In this column, I will discuss one of the most important preparation or planning activities.  Before there can be a system or process audit, the audit objectives, scope, and criteria must be defined. All other audit activities will center around what has been decided in this step.  This is the ‘why do the audit’ and ‘what needs to be audited’ step.

ISO 19011, clause 6.2.2 for defining audit objectives, scope and criteria starts out stating that every individual audit should be based on documented objectives, scope and criteria.  Important points are that all individual audits must have documented objectives, scope, and purpose. Audit objectives, scope and criteria should be specific to each individual audit and should not be generic statements that would apply to all process or system audits.  If definitions are too general, they provide very little guidance and could cause confusion and result in inefficient use of resources. The second point in this paragraph of clause 6.2.2 is that the objectives, scope, and criteria definitions must be documented. An organization can consider any means or mediums for documenting the information.  Considerations include cost, efficiency or speed, and effectiveness of the medium in distributing, disseminating, or communicating the information to others involved in the process.

There are several example audit objectives included the standard. The example audit objectives are:

a. Determine the extent of conformity of the system or process to the defined criteria. This is a typical objective for quality and environmental management system audits. An interesting and important word in this phrase is the word extent.  How does an auditor determine the extent of conformity?  Can the auditor issue an audit score?  A score or grade could determine the extent or degree of conformity as-well-as establishing a minimum score or grade to pass the audit. Or should the auditor determine if the organization conforms to the criteria based on number of major findings (such as zero)?  Audit organizations may practice either of the above methods depending on their situation such as type of industry, 1st 2nd or 3rd Party audit, government oversight, regulated organization and so on.

b. Evaluate capability of the management system to ensure compliance to statutory, regulatory, and contractual requirements. When would determining organizational capability be important? Perhaps when selecting a supplier or evaluating readiness for a regulatory audit or inspection.

c. Evaluate the effectiveness in meeting management system objectives. This example objective goes beyond simple conformance or compliance that many don’t fully understand. Plus, it could have different meanings for 1st, 2nd and 3rd party audit organizations as, well as regulated versus non-regulated. An important point is that an audit with this type of audit objective is only going to be as good as the management system objectives. For example, an organization may have exceeded its objective to reduce the number of label defects. But this may be a result of reduced usage of the label and not a result of actions by management. The other important aspect for this audit objective is for the auditor(s) and auditee organization to understand what an effective process looks like.  How do you know a process is effective? The ISO 9000 vocabulary standard provides some help by defining the word effectiveness (see definition at the end of this article).

d. The last example audit objective is for the auditor to identify areas for potential improvement of the management system. This objective could add value to the organization and is very worthwhile. In our competitive world in both the public and private sectors, organizations want to improve, make things better.  This is another audit objective that can add value, but more needs to be understood about improvement.  Many equated improvement with maintaining, repairing, redoing activities. Improvement happens when the organization is more valuable as a result of the improvement actions such as being more efficient, having greater capacity, adding innovative designs, services or products, and capital improvements.

Some organizations use the phrase audit purpose and audit objective interchangeably.

ISO 19011, clause 6.2.2 describes the audit scope as the extent and boundaries of the audit.  This is explained as the: 1) physical location (such as address, plot, floor, area), 2) organization units (such as department or branch), 3) activities and processes (such as marketing, sawing, underwriting, product line), and 4) the time period to be covered.  What would a scope statement for your organization look like? This helps the auditor to prepare and keeps him/her focused.  In general, auditors should always stay within the scope. Staying within the scope is good practice and avoids accusations of an auditor being on a witch hunt.  However, when would it be acceptable for auditors to deviate from the agreed scope? When there are observations that could result in possible personal injury, illegal acts, unethical actions, or potential loss of property (such as a fire hazard).

We have not discussed the audit criteria yet. Defining the audit criteria is part of the ‘what needs to be audited’ step. The audit criteria term stands for everything that an auditor can audit against.  An auditor can audit against any rules, procedures, objectives, goals, contracts, laws, codes of conduct, good practices and so on.

Who should define the audit objectives, scope, and audit criteria? The audit client should define the audit objectives.  The scope and criteria should be defined between the audit client and audit team leader. This means that either the client, audit team leader or both should be responsible for defining the scope and criteria. The ISO 19011 does not include the audit program manager in this process. My experience has been that the audit program manager is also involved in the process for determining the audit criteria but this is not mentioned in ISO 19011. How this is managed in your organization, should be stipulated in your audit program procedures.

Conclusion

Defining the audit objectives, scope and criteria is the key for determining all the remaining audit process steps for planning, performing, reporting and follow-up.  This step provides the basis for the individual audit. Doing a poor job here will directly affect the audit effectiveness and efficiency.

Overall, the audit activities for defining the audit objectives, scope and criteria should be consistent with your audit program objectives, scope, criteria and procedures.  The ISO 19011 standard provides guidance to help you develop your organization audit program procedures that support your organization’s objectives.

Definition: Effectiveness – The extent to which planned activities are realized and planned results achieved. ANSI/ISO/ASQ Q9000:2005, clause 3.2.14

Quiz

Please choose the best answer considering guidance provided by the ISO 19011 standard.

1. Is it really necessary to always document individual audit objectives, scope and criteria?

a.  No, not always as-long-as the information is verbally shared with the auditor(s) and auditee.
b. Yes, because the information must be communicated and understood by all parties involved in the audit.
c.  No, because documenting every individual audit objective, scope and criteria would be inefficient and waste resources.
d. Yes, because the auditee organization must be given an opportunity to review and approve the objectives, scope, and criteria prior to the audit.

2. Which of the following audit objectives would be appropriate if the client wanted to ensure the system or process conformed to a set of requirements?

a. Verify compliance to ISO 9001 requirements for certification purposes
b. Determine the extent of conformity to audit criteria
c. Determine degree of conformity to requirements
d. Confirm contract obligations are being carried out
e. All the above

3. Which of the following would not be considered part of the audit scope?

a. Physical boundaries
b. Criteria to audit against
c. Period of time covered
d. Units, departments, areas
e. Processes, systems, products, and services

4. Can there be multiple audit objectives for an individual audit?

a. Yes
b. No

5. Who should define individual audit criteria?

a. Client, because she knows what the auditee should be audited against.
b. Audit team leader, because he is most familiar with the standards and other criteria.
c. Auditee, because they know their organizational structure and processes best.
d. A and/or B

Answers

  1. b. For choice a, verbal exchanges could be inconsistent from person to person and be easily misunderstood. For choice c, not documenting the objectives, purpose and criteria could be less efficient and cause confusion. Choice d is wrong because the auditee (unless they are the client) does not approve or disapprove the objectives, scope and criteria for the audit.
  2. e. All are okay.
  3. b. Because, ISO 19011 discusses audit criteria separate from the audit scope.
  4. a. In many cases, there are multiple audit objectives. An auditor could verify conformity as well as identify potential improvement areas. Additionally, organizations are not limited to the four example audit objectives listed in ISO 19011.  Perhaps you can think of other things (criteria) auditors could verify, confirm, identify, or determine.
  5. d. In many audit situations, the client or audit program manager determine the overall criteria such as a management system standard and then the lead auditor drills down to specify the clauses and other applicable criteria (procedures, regulations, etc.) in the audit plan.  Do you know how it works in your organization?

About the author

J.P. Russell is the founder and managing director of QualityWBT Center for Education (www.Qualitywbt.com), an eLearning provider. He is also an ASQ fellow, ASQ-certified quality auditor, member of the US TAG 302 for management system auditing, member of the U.S. technical advisory group for the International Organization for Standardization technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several ASQ Quality Press books about auditing, standards, and quality improvement.