Explanation:
Identifying the source of information
Sampling available data
Gathering audit evidence
Verifying objective evidence
Evaluating evidence against the audit criteria
Making audit conclusions
Evaluating against the audit criteria
According to ISO 19011:2018, clause 6.4, the process of collecting and verifying information during an audit involves the following steps1:
Identifying the source of information: The audit team should identify the sources of information that are relevant to the audit objectives, scope and criteria. These sources may include documents, records, personnel, processes, activities, facilities, equipment, etc. The audit team should also determine the methods and tools for accessing and collecting the information, such as interviews, observations, document review, sampling, etc.
Sampling available data: The audit team should select a representative sample of the available data to verify the conformity and effectiveness of the management system. The sample size and selection method should be based on the audit objectives, scope and criteria, as well as the level of confidence and risk. The audit team should also consider the validity, reliability, relevance and sufficiency of the data.
Gathering audit evidence: The audit team should use the methods and tools identified in the previous step to collect audit evidence, which is the records, statements of fact or other information that are relevant to the audit criteria and verifiable. The audit team should record the audit evidence in a clear, concise and objective manner, using notes, checklists, photographs, audio or video recordings, etc.
Verifying objective evidence: The audit team should verify the accuracy, completeness and authenticity of the audit evidence collected. This may involve cross-checking different sources of information, confirming the identity and authority of the persons providing the information, examining the original documents or records, etc. The audit team should also identify any discrepancies, inconsistencies or gaps in the audit evidence.
Evaluating evidence against the audit criteria: The audit team should compare the audit evidence with the audit criteria to determine the extent of conformity and nonconformity. The audit team should also identify any opportunities for improvement, best practices, positive aspects or potential risks. The audit team should use professional judgement and apply the principles of auditing when evaluating the audit evidence.
Making audit conclusions: The audit team should consolidate the audit findings and evaluate the overall performance and effectiveness of the management system. The audit team should also consider the audit objectives, scope and criteria, as well as the context and expectations of the auditee and other interested parties. The audit team should provide a clear, concise and objective statement of the audit conclusions, which may include the degree of conformity, the achievement of the intended outcomes, the need for corrective actions, the suitability for certification, etc.
Evaluating against the audit criteria: The audit team should review the audit conclusions and ensure that they are consistent with the audit criteria and supported by sufficient and appropriate audit evidence.
The audit team should also ensure that the audit conclusions are communicated to the auditee and other relevant parties in a timely and effective manner, using the agreed audit report format and distribution method.
References: ISO 19011:2018(en), Guidelines for auditing management systems
