First, the audit objective should be consistent with the overall audit programme objectives e.g. to assist in achieving conformity assessment or providing assurance of compliance obligations. Source 19011 5.5.2. Note: Audit programme objectives and risk can be documented in the programme itself and or the management review.
Scope
Again, this should be consistent with the programme but refer to either: functions, activities, or the processes themselves.
Criteria
Audit criteria are used as a reference against which conformity is determined e.g., clauses, policy process, and or procedure. Also, as best practice/benchmarking, statutory & regulatory requirements, KPIs.
Summary
For scope start at a departmental and/or functional level, for criteria focus on the processes/procedures themselves; clauses may be referenced here.
Remember it is best practice to audit the process rather than the clause.
Comments