ISO internal audit scope and criteria (what is the difference)

First, the audit objective should be consistent with the overall audit programme objectives e.g. to assist in achieving conformity assessment or providing assurance of compliance obligations. Source 19011 5.5.2. Note: Audit programme objectives and risk can be documented in the programme itself and or the management review.

Scope

Again, this should be consistent with the programme but refer to either: functions, activities, or the processes themselves.

Criteria

Audit criteria are used as a reference against which conformity is determined e.g., clauses, policy process, and or procedure. Also, as best practice/benchmarking, statutory & regulatory requirements, KPIs.

Summary

For scope start at a departmental and/or functional level, for criteria focus on the processes/procedures themselves; clauses may be referenced here.

Remember it is best practice to audit the process rather than the clause.