Audit Scope and Criteria
Don’t forget the scope and criteria when auditing.
Start at the Very Beginning
When conducting an audit there are three fundamentals that need to be agreed upon before the audit starts; the objective, the scope, and the criteria. The objective is why we are doing the audit and we will discuss that in a different article.
In this post, I want to focus on the audit scope and the audit criteria.
The scope defines the boundaries of the audit, that is, what the audit will cover, and just as important what it will not cover. The scope can be formed on particular products or services, locations, departments, individual projects, time periods, and even specific processes (although this is sometimes better addressed in the criteria).
The reason we need a scope - and this equally applies to the auditor and to the auditee - is so we know what the audit is going to cover.
Let me give you some examples:
- The audit will cover the manufacture of product A and B, but not the manufacture of product C.
- The audit will cover head office plus the branches in New York, London, and Tokyo.
- The audit will cover the work period from January through to June inclusively.
Without an effective scope, both the auditor and the auditee are unsure of the boundaries of the audit and time is often wasted through checking and verifying information that is not required (out of scope).
The criteria are what the auditor checks against. This audit criteria can be internal documents such as; policies, processes, or procedures. Or it can be external documentation such as; international standards, industry guidelines, or legislation.
The role of the auditor is to accurately assess the audit scope through observation and activities to determine the level of compliance with the criteria.
Where the criteria are not clearly documented, there is a risk that both the auditor and the auditee may have different opinions on what should be occurring (note: there is a level of this anyway even with documented criteria!). Any non-conformances raised should be directly related back to the audit criteria, which of course is far easier to evidence if the criteria are actually documented.
In summary, both the auditor and especially the auditee should be absolutely clear on and in agreement with what is included in both the audit scope and the audit criteria. These should be agreed to during the preliminary stages prior to the start of the audit and then reconfirmed at the opening meeting.