The Audit Schedule and Programme

The audit schedule and programme

An audit programme is a forward plan of audits across the management system. It is the document that converts we will audit our system into we will audit purchasing in March, despatch in May and the management of equipment in September. Without a programme, internal audits tend to bunch up just before certification visits and leave the rest of the year uncovered.

ISO 9001 Clause 9.2.2 and the equivalent clauses in the other ISO standards require the organisation to plan, establish, implement and maintain an audit programme that takes into account the importance of the processes concerned, changes affecting the organisation, and results of previous audits. The programme is not a one-off plan - it evolves as the organisation evolves.

What the audit programme covers

A useful audit programme covers four things for each entry on it.

First, what is being audited. This is usually a process or area - purchasing, production, sales, despatch, management of equipment, training. Some organisations include audit entries for specific ISO clauses too, particularly for areas like context, risk and management review where there is no obvious operational process to audit.

Second, when. A target date or month, not necessarily a precise day. The programme is a plan, not a calendar, and audits often shift by a few weeks for legitimate reasons.

Third, who is auditing. Named or by role. The auditor cannot be auditing their own work, so the programme has to plan for that constraint.

Fourth, frequency. How often this area is audited. High-risk, high-change or recently-found-issues areas typically come up annually or even more often. Stable, well-understood areas might be audited every two or three years.

The F-Q17 Internal Audit Schedule in the toolkit captures all four in a simple table format.

Audit frequency - how to set it

The standards do not prescribe an audit frequency, but they do require the programme to take account of importance, changes and previous results. In practice this means audit frequency is risk-based rather than uniform.

Higher frequency. Areas where the consequences of failure are significant, where there has been recent change, or where previous audits or external feedback have identified issues. Customer-facing processes, areas with regulatory implications and newly introduced processes typically fall here. Annual or more often.

Standard frequency. The bulk of operational and management processes - purchasing, production, despatch, supplier management, document control, training. Annual or biennial.

Lower frequency. Stable supporting activities where little has changed and previous audits have found nothing significant. Some support processes can run on a two or three year cycle without losing coverage.

Across the whole programme, every part of the management system should be audited at least once over a sensible cycle. Most organisations align the programme with the certification cycle - annual surveillance audits, three-year recertification - so that the whole system is audited at least once between certification visits.

Building the first programme

The first audit programme is harder than later ones because there is no history to draw on. A practical approach is to list every process and management system requirement, group them into auditable areas (typically eight to fifteen entries for a small or medium organisation), and assign each one a frequency based on initial risk.

That programme will not be perfect. Six months in, after the first round of audits, it usually needs adjustment - some areas turn out to need more frequent attention, others can move to a longer cycle. That is the programme working as intended. A programme that never changes is one that has stopped responding to what the audits are finding.

Adjusting the programme as you go

Three triggers should prompt a programme review.

The first is significant findings from previous audits. Where an audit has found a serious non-conformity, the area is usually re-audited sooner than originally planned to confirm that corrective action has been effective. The programme is updated to show the additional audit.

The second is significant change. New processes, new products, new sites, new ISO standards being added to scope, new legislation - all of these may need an audit sooner than the standard cycle would have given them.

The third is management review feedback. The audit programme is one of the standard inputs to management review, where management considers whether the programme is still appropriate and approves the forward schedule.

Adjustments are recorded on the schedule rather than made informally. An auditor looking at the programme should be able to see what has changed and why.

Linking the programme to the management system

The audit programme is not a standalone document. The schedule references areas that exist elsewhere in the management system - the document register, the risk register, the legal register, supplier records and so on. When something significant changes in any of these, it usually has implications for the audit programme.

The simplest way to keep this connection live is to include the audit programme as a standing agenda item in management review and to update it after major changes (new products, sites, certifications, regulatory changes). Treating it as a static one-page document that gets dusted off once a year is the most reliable way to lose value from it.

The audit programmes that work tend to be the ones that are visibly being adjusted as the year goes on. New entries added when a process changes, frequencies adjusted when audits find recurring issues, dates moved when something genuinely needs to be re-audited sooner. That is what the standard means by an audit programme that takes account of changes and previous results.

The programmes that struggle in audits are the ones that look identical year after year - the same areas, the same dates, the same auditors, the same frequencies - regardless of what has actually been happening.

I look at the audit programme alongside the audit reports. If the programme says purchasing is audited annually but the last three audit reports for purchasing are six weeks apart and then nothing for two years, the programme is not being used as a planning tool.

I also look at coverage. If the programme covers operational areas but never touches context, risks, legal compliance or top management's involvement in the system, that is a coverage gap I will raise.

Keep the programme simple. A spreadsheet with one row per audit, four columns. Anyone in the company should be able to look at it and see when their area is next being audited and by whom. If the programme needs explaining, it is too complicated.

Practical compliance guidance

IMS1 Section 5.3.1 Internal Audit Planning - Audit Schedule describes the audit programme and how it is constructed and maintained, including what to take into account when setting frequencies and how the programme is reviewed.

The toolkit provides two audit schedule formats - ER11 and F-Q17 - along with the policy and guidance documents that govern how the programme is managed.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Full toolkit including the audit schedule, audit checklist and supporting policy and guidance documents for setting up an audit programme.
ER11 Internal Audit Schedule	Register-style audit schedule recording each area to be audited, the auditor, the frequency and target dates.
F-Q17 Internal Audit Schedule	Form-style alternative audit schedule, useful where a simpler one-page programme is preferred.
PP-1-10 Internal Auditing and ISO Compliance Policy	Policy and procedure setting out how the audit programme is established, maintained and reviewed.
GG-1-10 Internal Audits Guidance	Plain-language guidance on building and maintaining an audit programme that responds to change and previous findings.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does ISO require a specific audit frequency?

No. The standards require audits at planned intervals, with the programme accounting for importance, changes and previous results - but no specific frequency is mandated. In practice the whole management system should be audited at least once over a sensible cycle, with higher-risk or recently-changed areas audited more often.

Should the audit programme cover everything every year?

Not necessarily. A risk-based programme audits high-importance and high-change areas more often than stable supporting processes. Across a sensible cycle - typically aligned with the three-year certification cycle - the whole management system should be covered. An annual all-areas approach is acceptable but rarely the most efficient use of audit time.

Can the audit programme be changed mid-year?

Yes - and the standards expect it to be adjusted in response to significant findings, changes in the organisation and management review feedback. A programme that never changes is not responding to what the audits are showing. Adjustments should be recorded on the schedule with a brief reason.

Who approves the audit programme?

Top management or the management system owner usually approves the programme as part of management review. The audit programme is a standard input and output of management review under most ISO standards, so the approval is documented as part of the review minutes or actions.

UK Legislation relevant to audit programmes

UK legislation does not directly require ISO-style audit programmes, but several laws require organisations to monitor and review compliance with regulatory duties - which an audit programme typically supports. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources