prEN ISO 19011

SLOVENSKI STANDARD
01-maj-2025
Smernice za presojanje sistemov vodenja (ISO/DIS 19011:2025)
Guidelines for auditing management systems (ISO/DIS 19011:2025)
Leitfaden zur Auditierung von Managementsystemen (ISO/DIS 19011:2025)
Lignes directrices pour l'audit des systèmes de management (ISO/DIS 19011:2025)
Ta slovenski standard je istoveten z: prEN ISO 19011
ICS:
03.100.70 Sistemi vodenja Management systems
03.120.10 Vodenje in zagotavljanje Quality management and
kakovosti quality assurance
13.020.10 Ravnanje z okoljem Environmental management
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/DIS 19011
ISO/PC 302
Guidelines for auditing
Secretariat: ANSI
management systems
Voting begins on:
Lignes directrices pour l'audit des systèmes de management
2025-03-17
Voting terminates on:
ICS: 03.120.20
2025-06-09
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 19011:2025(en)
DRAFT
ISO/DIS 19011:2025(en)
International
Standard
ISO/DIS 19011
ISO/PC 302
Guidelines for auditing
Secretariat: ANSI
management systems
Voting begins on:
Lignes directrices pour l'audit des systèmes de management
ICS: 03.120.20 Voting terminates on:
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 19011:2025(en)
ii
ISO/DIS 19011:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles of auditing . 5
5 Managing an audit programme . 6
5.1 General .6
5.2 Establishing audit programme objectives .9
5.3 Determining and evaluating audit programme risks and opportunities .9
5.4 Establishing audit programme.10
5.4.1 Roles and responsibilities of the individual(s) managing the audit programme .10
5.4.2 Competence of individual(s) managing audit programme.11
5.4.3 Establishing extent of audit programme .11
5.4.4 Determining audit programme resources . 12
5.5 Implementing audit programme . 12
5.5.1 General . 12
5.5.2 Defining the objectives, scope and criteria for an individual audit . 13
5.5.3 Selecting and determining auditing methods . 13
5.5.4 Selecting audit team members .14
5.5.5 Assigning responsibility for an individual audit to the audit team leader . 15
5.5.6 Managing audit programme results . 15
5.5.7 Managing and maintaining audit programme records .16
5.6 Monitoring audit programme . .16
5.7 Reviewing and improving audit programme .17
6 Conducting an audit .18
6.1 General .18
6.2 Initiating audit .18
6.2.1 General .18
6.2.2 Establishing contact with auditee .18
6.2.3 Determining feasibility of audit .18
6.3 Preparing auditing activities .19
6.3.1 Performing review of documented information .19
6.3.2 Audit planning .19
6.3.3 Assigning work to audit team . 20
6.3.4 Preparing documented information for audit .21
6.4 Conducting auditing activities .21
6.4.1 General .21
6.4.2 Assigning roles and responsibilities of guides and observers . .21
6.4.3 Conducting opening meeting . 22
6.4.4 Communicating during audit. 23
6.4.5 Audit information availability and access . 23
6.4.6 Reviewing documented information while conducting audit. 23
6.4.7 Collecting and verifying information.24
6.4.8 Generating audit findings . 25
6.4.9 Determining audit conclusions . 25
6.4.10 Conducting closing meeting . 26
6.5 Preparing and distributing audit report . 26
6.5.1 Preparing audit report . 26
6.5.2 Distributing audit report .27
6.6 Completing audit .27
6.7 Conducting audit follow-up . 28

iii
ISO/DIS 19011:2025(en)
7 Competence and evaluation of auditors .28
7.1 General . 28
7.2 Determining auditor competence . 29
7.2.1 General . 29
7.2.2 Personal behaviour . 29
7.2.3 Knowledge and skills . 30
7.2.4 Achieving auditor competence .32
7.2.5 Achieving audit team leader competence . 33
7.3 Establishing auditor evaluation criteria . 33
7.4 Selecting appropriate auditor evaluation method . 33
7.5 Conducting auditor evaluation . 33
7.6 Maintaining and improving auditor competence . 34
Annex A (informative) Additional guidance for auditors for planning and conducting audits .35
Bibliography .46

iv
ISO/DIS 19011:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent
rights identified during the development of the document will be in the Introduction and/or on the ISO list of
patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL:
www.iso.org/iso/foreword.html.
This document was prepared by Project Committee ISO/PC 302, Guidelines for auditing management systems.
This fifth edition cancels and replaces the third edition (ISO 19011:2018), which has been technically
revised.
The main differences compared to the third edition are as follows:
— expansion of guidance on remote auditing methods through the introduction of guidance contained in
ISO/IEC TS 17012 Conformity assessment - Guidelines for the use of remote auditing methods in auditing
management systems;
— expansion of Annex A to provide guidance on remote auditing methods and virtual locations.

v
ISO/DIS 19011:2025(en)
Introduction
Since the third edition of this document was published in 2018, several management system standards
have been published in new fields. Most of them have a common structure, identical core requirements
and common terms and core definitions. As a result, there is a need to consider a broader approach to
management system auditing, as well as providing guidance that is more generic.
This document provides guidance which can be applied to audit a range of audit criteria (separately or in
combination), including but not limited to:
— requirements defined in one or more management system standards;
— policies, processes and requirements specified by the organization or other relevant interested parties;
— statutory and regulatory requirements;
— management system plan(s) relating to the provision of specific results of a management system (e.g.
quality plan, project plan).This document provides guidance for all sizes and types of organizations and
audits of varying scopes and scales, including those conducted by large audit teams, typically of larger
organizations, and those by single auditors, whether in large or small organizations. This guidance
should be adapted as appropriate to the scope, complexity and scale of the audit programme.
This document concentrates on internal audits (first party) and audits conducted by organizations on
their external providers and other external interested parties (second party). This document can also be
useful for external audits conducted for purposes other than third party management system certification.
ISO/IEC 17021-1 provides requirements for auditing management systems for third party certification; this
document can provide useful additional guidance (see Table 1).
Table 1 — Different types of audits
st nd rd
1 party 2 party 3 party
Internal audit External provider audit Certification auditor accreditation
assessment
Other external interested party audit Statutory, regulatory and similar
audit
To simplify the readability of this document, the singular form of “management system” is preferred, but the
reader can adapt the implementation of the guidance to their own situation. This also applies to the use of
“individual” and “individuals”, “auditor” and “auditors”.
This document is intended to apply to a broad range of potential users, including auditors, organizations
implementing management systems and organizations needing to conduct management system audits for
contractual or regulatory reasons. Users of this document can, however, apply this guidance in developing
their own audit-related requirements.
The guidance in this document can also be used for the purpose of self-declaration and can be useful to
organizations involved in the training, qualification and certification of persons participating in the audit
program.
The guidance in this document is intended to be flexible. As indicated at various points in the text, the use
of this guidance can differ depending on the size and level of maturity of an organization’s management
system. The nature and complexity of the organization to be audited, as well as the objectives and scope of
the audits to be conducted, should also be considered.
This document adopts the combined audit approach when two or more management systems of different
disciplines are audited together. Where these systems are integrated into a single management system, the
principles and processes of auditing are the same as for a combined audit.

vi
ISO/DIS 19011:2025(en)
This document provides guidance on the management of an audit programme, on the planning and
conducting of management system audits, as well as on the competence and evaluation of an auditor and an
audit team.
vii
DRAFT International Standard ISO/DIS 19011:2025(en)
Guidelines for auditing management systems
1 Scope
This document provides guidance on auditing management systems, including the principles of auditing,
managing an audit programme and conducting management system audits, as well as guidance on the
evaluation of competence of individuals involved in the audit process. These individuals include those
managing the audit programme, auditors and audit teams.
It is applicable to all organizations that need to plan and conduct internal or external audits of management
systems or manage an audit programme.
The application of this document to other types of audits is possible, provided that special consideration is
given to the specific competence needed.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
audit
systematic, independent and documented process for obtaining objective evidence (3.8) and evaluating it
objectively to determine the extent to which the audit criteria (3.7) are fulfilled
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the
organization itself.
Note 2 to entry: External audits include those generally called second and third party audits. Second party audits
are conducted by parties having an interest in the organization, such as customers, or by other individuals on their
behalf. Third party audits are conducted by independent auditing organizations, such as those providing certification/
registration of conformity or governmental agencies.
[SOURCE: ISO 9000:2015, 3.13.1, modified — Notes to entry have been modified]
3.2
combined audit
audit (3.1) carried out together at a single auditee (3.13) on two or more management systems (3.18)
[SOURCE: ISO 9000:2015, 3.13.2, modified]
3.3
joint audit
audit (3.1) carried out at a single auditee (3.13) by two or more auditing organizations
[SOURCE: ISO 9000:2015, 3.13.3]

ISO/DIS 19011:2025(en)
3.4
remote auditing method
method used for conducting audit activities at any place other than the location of the auditee
Note 1 to entry: Remote auditing methods can be used in combination with on-site methods to achieve a full and
effective audit.
Note 2 to entry: Remote auditing methods can be used for virtual locations, i.e. where an organization performs work
or provides a service using an online environment, enabling individuals to execute processes irrespective of physical
locations.
[SOURCE: ISO/TS 17012:2024]
3.5
audit programme
arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed towards a
specific purpose
[SOURCE: ISO 9000:2015, 3.13.4, modified — wording has been added to the definition]
3.6
audit scope
extent and boundaries of an audit (3.1)
Note 1 to entry: The audit scope generally includes a description of the physical and virtual locations, functions,
organizational units, activities and processes, as well as the time period covered.
Note 2 to entry: A virtual location is where an organization performs work or provides a service using an on-line
environment allowing individuals to perform processes irrespective of physical locations.
3.7
audit plan
description of the activities and arrangements for an audit (3.1)
[SOURCE: ISO 9000:2015, 3.13.6]
3.8
audit criteria
set of requirements (3.23) used as a reference against which objective evidence (3.8) is compared
Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance”
or “non-compliance” are often used in an audit finding (3.10).
Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual
obligations, etc.
[SOURCE: ISO 9000:2015, 3.13.7, modified — the definition has been changed and Notes to entry 1 and 2
have been added]
3.9
objective evidence
data supporting the existence or verity of something
Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means.
[SOURCE: ISO 9000:2015, 3.8.3]
3.10
audit evidence
records, statements of fact or other information, which are relevant to the audit criteria (3.7) and verifiable
[SOURCE: ISO 9000:2015, 3.13.8]

ISO/DIS 19011:2025(en)
3.11
audit findings
results of the evaluation of the collected audit evidence (3.9) against audit criteria (3.7)
Note 1 to entry: Audit findings indicate conformity (3.20) or nonconformity (3.21).
Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good
practices.
Note 3 to entry: In English when the audit criteria are selected from statutory requirements or regulatory
requirements, the audit finding is termed compliance or non-compliance.
[SOURCE: ISO 9000:2015, 3.13.9, modified — Notes to entry 2 and 3 have been modified]
3.12
audit conclusion
result of an audit (3.1), after consideration of the audit objectives and all audit findings (3.10)
[SOURCE: ISO 9000:2015, 3.13.10]
3.13
audit client
organization or person requesting an audit (3.1)
Note 1 to entry: In the case of internal audit, the audit client can also be the auditee (3.13) or the individual(s) managing
the audit programme (3.4). Requests for external audit can come from sources such as regulatory authorities,
contracting parties or potential or existing clients.
3.14
auditee
organization as a whole or parts thereof being audited
[SOURCE: ISO 9000:2015, 3.13.12, modified]
3.15
audit team
one or more persons conducting an audit (3.1), supported if needed by technical experts (3.16)
Note 1 to entry: One auditor (3.15) of the audit team (3.14) is appointed as the audit team leader.
Note 2 to entry: The audit team can include auditors-in-training.
[SOURCE: ISO 9000:2015, 3.13.14]
3.16
auditor
person who conducts an audit (3.1)
[SOURCE: ISO 9000:2015, 3.13.15]
3.17
technical expert
person who provides specific knowledge or expertise to the audit team (3.14)
Note 1 to entry: Specific knowledge or expertise relates to the organization, the activity, process, product, service,
discipline to be audited, or language or culture.
Note 2 to entry: A technical expert to the audit team (3.14) does not act as an auditor (3.15).
[SOURCE: ISO 9000:2015, 3.13.16, modified — Notes to entry 1 and 2 have been modified]

ISO/DIS 19011:2025(en)
3.18
observer
individual who accompanies the audit team (3.14) but does not act as an auditor (3.15) nor a technical
expert (3.16)
[SOURCE: ISO 9000:2015, 3.13.17, modified]
3.19
management system
set of interrelated or interacting elements of an organization to establish policies and objectives, and
processes (3.24) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management,
financial management or environmental management.
Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities,
planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives.
Note 3 to entry: The scope of a management system can include the whole of the organization, specific and identified
functions of the organization, specific and identified sections of the organization, or one or more functions across a
group of organizations.
[SOURCE: ISO 9000:2015, 3.5.3, modified — Note 4 to entry has been deleted]
3.20
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected – positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence and likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
[SOURCE: ISO 9000:2015, 3.7.9, modified — Notes to entry 5 and 6 have been deleted]
3.21
conformity
fulfilment of a requirement (3.23)
[SOURCE: ISO 9000:2015, 3.6.11, modified — Note 1 to entry has been deleted]
3.22
nonconformity
non-fulfilment of a requirement (3.23)
[SOURCE: ISO 9000:2015, 3.6.9, modified — Note 1 to entry has been deleted]
3.23
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO 9000:2015, 3.10.4, modified — Notes to entry have been deleted]
3.24
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested
parties that the need or expectation under consideration is implied.

ISO/DIS 19011:2025(en)
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
[SOURCE: ISO 9000:2015, 3.6.4, modified — Notes to entry 3, 4, 5 and 6 have been deleted]
3.25
process
set of interrelated or interacting activities that use inputs to deliver an intended result
[SOURCE: ISO 9000:2015, 3.4.1, modified — Notes to entry have been deleted]
3.26
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative results.
Note 2 to entry: Performance can relate to the management of activities, processes (3.24), products, services, systems
or organizations.
[SOURCE: ISO 9000:2015, 3.7.8, modified — Note 3 to entry has been deleted]
3.27
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO 9000:2015, 3.7.11, modified — Note 1 to entry has been deleted]
4 Principles of auditing
Auditing is characterized by reliance on a number of principles. These principles should help to make the
audit an effective and reliable tool in support of management policies and controls, by providing information
on which an organization can act in order to improve its performance. Adherence to these principles is
a prerequisite for providing audit conclusions that are relevant and sufficient, and for enabling auditors,
working independently from one another, to reach similar conclusions in similar circumstances.
The guidance given in Clause 5 to Clause 7 is based on the seven principles outlined below.
a) Integrity: the foundation of professionalism
Auditors and the individual(s) managing an audit programme should:
— perform their work ethically, with honesty and responsibility;
— only undertake auditing activities if they are competent to do so;
— perform their work in an impartial manner, i.e. remain fair and unbiased in all their dealings;
— be sensitive to any influences that may be exerted on their judgement while carrying out an audit.
b) Fair presentation: the obligation to report truthfully and accurately
Audit findings, audit conclusions and audit reports should reflect truthfully and accurately the auditing
activities. Significant obstacles encountered during the audit and unresolved diverging opinions
between the audit team and the auditee should be reported. The communication should be truthful,
accurate, objective, timely, clear and complete.
c) Due professional care: the application of diligence and judgement in auditing
Auditors should exercise due care in accordance with the importance of the task they perform, and
the confidence placed in them by the audit client and other interested parties. An important factor in
carrying out their work with due professional care is having the ability to make reasoned judgements in
all audit situations.
ISO/DIS 19011:2025(en)
d) Confidentiality: security of information
Auditors should exercise discretion in the use and protection of information acquired in the course of
their auditing activities. Audit information should not be used inappropriately for personal gain by the
auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This
principle includes the proper handling of sensitive or confidential information.
e) Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
Auditors should be independent of the activity being audited wherever practicable, and should in all
cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should
be independent from the function being audited if practicable. Auditors should maintain objectivity
throughout the audit process to ensure that the audit findings and conclusions are based only on the
audit evidence.
For small organizations or for special cases, it may not be possible for internal auditors to be fully
independent of the activity being audited, but every effort should be made to remove bias and encourage
objectivity.
f) Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions
in a systematic audit process
Audit evidence should be verifiable. It should in general be based on samples of the information available,
since an audit is conducted during a finite period of time and with finite resources. An appropriate use
of sampling should be applied, since this is closely related to the confidence that can be placed in the
audit conclusions.
g) Risk-based approach: an audit approach that considers risks and opportunities
The risk-based approach should substantively influence the planning and implementation of the audit
programme and the planning and conducting and reporting of audits in order to ensure that audits
are focused on matters that are significant for the audit client, and for achieving the audit programme
objectives.
5 Managing an audit programme
5.1 General
An audit programme, which can include audits addressing one or more management system standards or
other requirements, conducted either separately or in combination (combined audit), should be established.
The extent of an audit programme should be based on the size and nature of the auditee, as well as on
the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of the
management system(s) to be audited.
The functionality of the management system can be even more complex when most of the important
functions are outsourced and managed under the leadership of other organizations. Particular attention
needs to be paid to where the most important decisions are made and what constitutes the top management
of the organization.
In the case of multiple locations/sites, or where important functions are outsourced and managed under
the leadership of another organization, particular attention should be paid to the design, planning and
confirmation of the audit programme.
The audit programme should be scaled in accordance with the size and complexity of the organization.
In order to understand the context of the auditee, the audit programme should take into account the
auditee’s:
— organizational objectives;
ISO/DIS 19011:2025(en)
— relevant external and internal issues;
— consideration of whether climate change is a relevant issue;
— needs and expectations of relevant interested parties;
— application of technology or digital tools;
— information security and confidentiality requirements.
The planning of internal audit programmes and, in some cases programmes for auditing external providers,
can be arranged to contribute to other objectives of the organization.
The individual(s) managing the audit programme should ensure that the integrity of the audit is maintained
and that there is no undue influence exerted over the audit.
Priority should be given in the audit programme to allocating resources and methods to matters in a
management system with higher inherent risk and lower level of performance.
Competent individuals should be assigned to manage the audit programme (see 5.4.2).
The audit programme should include information and identify resources to enable the audits to be conducted
effectively and efficiently within the specified time frames. The information should include:
a) objectives for the audit programme (see 5.2);
b) risks and opportunities associated with the audit programme (see 5.3) and the actions to address them;
c) scope (extent, boundaries, locations) of each audit within the audit programme;
d) schedule (number/duration/frequency) of the audits;
e) audit types, such as internal or external;
f) audit criteria;
g) auditing methods to be employed, including remote auditing methods (see A.16);
h) criteria for selecting the audit team (audit team leader, auditors and, if needed, technical experts);
i) criteria for participation of observers and others, where relevant;
j) the organization’s internal and external context;
k) relevant documented information.
Some of this information may not be available until more detailed audit planning is completed.
The implementation of the audit programme should be monitored and assessed on an ongoing basis (see 5.6)
to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify
needs for changes and possible opportunities for improvements (see 5.7).
Figure 1 illustrates the process flow for the management of an audit programme.

ISO/DIS 19011:2025(en)
NOTE 1 This Figure illustrates the application of the Plan-Do-Check-Act cycle in this document.
NOTE 2 Clause/subclause numbering refers to the relevant clauses/subclauses of this document.

ISO/DIS 19011:2025(en)
NOTE 3 Conducting audit follow-up (6.7) may not always be applicable, as illustrated by the dashed lines.
Figure 1 — Process flow for the management of an audit programme
5.2 Establishing audit programme objectives
The audit client should ensure that the audit programme objectives are established to direct the planning and
conducting of audits and should ensure the audit programme is implemented effectively. Audit programme
objectives should be consistent with the audit client’s strategic direction and support its management
system policy and objectives.
These objectives can be based on consideration of the following:
a) needs and expectations of relevant interested parties, both external and internal;
b) characteristics of and requirements for processes, products, services and projects, and any changes to them;
c) management system requirements, including differing specific requirements covered during a
combined audit;
d) need for evaluation of organizations that are part of the supply chain;
e) auditee’s level of performance and level of maturity of the management system(s), as reflected in
relevant performance indicators, the occurrence of nonconformities or incidents or complaints from
interested parties;
f) identified risks and opportunities to the auditee;
g) results of previous audits.
Examples of audit programme objectives can include the following:
— identifying opportunities for the improvement of a management system and its performance;
— evaluating the capability of the auditee to determine its context;
— evaluating the capability of the auditee to determine risks and opportunities and to identify and
implement effective actions to address them;
— determining the conformance to all relevant requirements, e.g. statutory and regulatory requirements,
compliance commitments, requirements for certification to a management system standard;
— establishing the level of confidence in the capability of an organization in the supply chain;
— establishing criteria that may include the type of information being processed by the organization in
the supply chain, the organization's level of access to information, the importance of the process being
outsourced or the services being provided, provider risk and/or customer contractual obligations;
— determining the continuing suitability, adequacy and effectiveness of the auditee’s management system;
— evaluating the compatibility and alignment of the management system objectives with the strategic
direction of the organization.
5.3 Determining and evaluating audit programme risks and opportunities
There are risks and opportunities related to the context of the auditee that can be associated with an
audit programme and can affect the achievement of its objectives. The individual(s) managing the audit
programme should identify and present the determined risks and opportunities to the audit client when
developing the audit programme and resource requirements, so that they can be addressed appropriately.

ISO/DIS 19011:2025(en)
Risks can
...