Audit Planning, Scope Definition and Audit Checklist
Audit Planning in Brief
- Scope, criteria and objectives for each audit defined upfront
- Audit checklist or guide developed from the criteria
- Opening meeting agreed with the auditee
Audit planning and scope
The audit programme says purchasing will be audited in March. Audit planning is what turns that line on the programme into a useful audit on the day. Without planning, an audit becomes a wander through the area with a checklist - asking general questions, looking at random documents, leaving with vague impressions. With planning, it becomes a focused look at specific evidence against specific criteria.
ISO 9001 Clause 9.2.2b and the equivalent clauses in the other ISO standards require the organisation to define the audit criteria and scope for each audit. That requirement looks small in the standard but it is one of the things that most distinguishes a useful audit from a tickbox one.
Defining the audit scope
The scope sets the boundaries of the audit. A scope that is too wide means the auditor cannot do justice to any part of it. A scope that is too narrow misses the connections between processes and the wider system.
For most internal audits, the scope is one process or area at a time - purchasing, despatch, training, equipment management. The scope statement names the process, identifies any specific sub-areas in or out of scope, and notes any sites or departments included or excluded.
For organisations certified to multiple standards, the scope also identifies which standards the audit covers. An integrated audit of purchasing might cover ISO 9001 supplier appraisal, ISO 14001 environmental criteria for suppliers, ISO 45001 contractor competence and ISO 27001 supplier security. The scope statement makes this explicit so the auditor knows what to evaluate against.
Defining the audit criteria
The criteria are what the audit is checking against. Three categories of criteria usually apply.
The organisation's own management system. The procedures, work instructions, registers and policies that say how the process should be done. The audit checks whether what is happening matches what these documents say.
The relevant ISO standard requirements. The clauses of ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301 or ISO 37001 that apply to the area being audited. This is where the integrated audit checklists earn their place - they consolidate the relevant clauses from all standards in scope.
Applicable legal and regulatory requirements. Where the area being audited has specific legal duties - RIDDOR reporting for accidents, UK GDPR processing for personal data, HMRC retention for financial records - the audit usually covers compliance with those too.
Listing the criteria explicitly at the start of the audit prevents the common drift where an auditor ends up commenting on things that are not actually requirements.
Audit checklists - prepared or developed
Most audits use a checklist of some sort. There are two practical approaches and both are acceptable.
The first is to use a pre-prepared checklist - the alphaZ toolkit includes a generic F-Q2 Internal Audit Checklist and a series of process-specific checklists (A-C P01 to A-C P25) covering common audit areas. These already incorporate the relevant ISO clauses, so the auditor adds organisation-specific procedure references and uses them as the basis for the audit.
The second is to develop a checklist from the procedures and standard requirements at the start of each audit. This is more work but produces a more tailored checklist. It is often preferred where the organisation's processes are unusual or where pre-prepared checklists do not fit well.
Whichever approach is used, the checklist is a starting point, not a script. A good auditor will follow leads that come up during the audit even if they are not on the original checklist - findings often emerge from unexpected places, and rigid adherence to a pre-printed list can miss them.
Sample sizes and evidence types
Internal audits are sample-based. The auditor looks at a sample of records, processes or transactions rather than every one. Planning includes deciding what sample sizes are appropriate.
For low-volume processes (e.g. major contracts, design changes), the auditor might look at all records since the last audit. For high-volume processes (e.g. delivery notes, purchase orders), a sample of five to ten records spanning the audit period is usually proportionate. Sampling should be deliberately spread - not all from the same week, not all from the same person - to avoid over-fitting to a particular pattern.
Evidence types vary. Documents and records are one source - but observation (watching the work being done), interviews (asking the people doing the work) and physical inspection (looking at the equipment, the storage, the controls) often produce different findings. A pure desk audit checking only documents and records will miss issues that only show up in practice.
Practical arrangements
The mechanics of audit planning are mundane but matter. The audit needs a date and time when the people in the area being audited are actually available. Half an hour is rarely enough for a meaningful process audit - one to three hours is typical for a single-process audit. The auditor needs access to the documents and records, the people and the work area.
An opening meeting at the start of the audit is good practice for anything more than a quick check. It takes five minutes, sets expectations, confirms scope and criteria, and gives the people in the area a chance to ask questions before the audit starts. A closing meeting at the end summarises what was found before any findings get formalised. Both reduce surprises and improve the quality of audit findings.
Planning is the difference between an internal audit that finds something useful and one that does not. I look at the audit checklist used and the scope statement before I look at the findings. If the scope is vague or the criteria are not stated, the audit will probably have surface-level findings or none at all.
I am not looking for elaborate planning documents. A scope sentence, a list of criteria, a checklist with the procedure references and the standard clauses on it - that is enough to show that the audit was thought about before it happened.
We use the toolkit checklists as a starting point and adapt them. Each audit gets a one-page plan with the area, the auditor, the date, the scope, what we are going to look at and what evidence we are going to sample. Takes ten minutes to put together and saves an hour of confusion on the day.
Scope and criteria. Two short statements. What are we auditing, and what are we auditing it against. If you cannot answer those two questions in a sentence each before the audit, the audit is not ready to happen.
Practical compliance guidance
IMS1 Section 5.3.2 Internal Audits - Audit Completion covers how individual audits are planned and conducted, including the use of pre-prepared checklists and the development of organisation-specific audit content.
The toolkit provides generic and process-specific audit checklists, the policy and guidance documents covering audit planning, and combined checklists for organisations certified to multiple standards.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Full toolkit with the audit checklist, schedule and supporting documents for planning internal audits under ISO 9001. |
| F-Q2 Internal Audit Checklist | Generic audit checklist template, used as the basis for individual audits or adapted to specific processes. |
| A-C ISO 9001 Management System Audit Checklist | Pre-prepared audit checklist covering the requirements of ISO 9001:2015, suitable for clause-based or full-system audits. |
| A-C ISO 9001/14001/45001 IMS Audit Checklist | Combined audit checklist covering quality, environmental and H&S requirements in a single document for integrated audits. |
| A-C Operational Processes Audit Checklist | Process-focused audit checklist covering core operational areas - useful where the audit is scoped by process rather than by clause. |
| GG-1-10 Internal Audits Guidance | Plain-language guidance on planning individual audits, including scope, criteria, sample sizes and evidence types. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation relevant to audit planning
Audit planning is not directly required by UK legislation, but the criteria of an internal audit often include legal compliance, which means the audit needs to know which UK laws apply to the process being audited. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.
