Audit

An audit is an evidence gathering process. Audit evidence is

used to evaluate how well audit criteria are being met. Audits
must be objective, impartial, and independent, and the audit
process must be both systematic and documented.

There are three types of audits: first-party, second-party, and

third-party. First-party audits are internal audits. Second and
third party audits are external audits.

Organizations use first party audits to audit themselves. First

party audits are used to confirm or improve the effectiveness
of management systems. They're also used to declare that an
organization complies with an ISO standard (this is called a
self-declaration). Of course, such a declaration is credible
only if first party auditors are genuinely independent and
free of bias. If you decide to use first party auditors to
make a self-declaration of compliance, make sure
that they aren't auditing their own work.

Second party audits are external audits. Theyre usually

done by customers or by others on their behalf. However,
they can also be done by regulators or any other external
party that has a formal interest in an organization.

Third party audits are external audits as well. However,

theyre performed by independent organizations such
as registrars (certification bodies) or regulators.

ISO 19011 2011 also distinguishes between combined

audits and joint audits. When two or more management
systems of different disciplines are audited together at the
same time, it's called a combined audit; and when two or
more auditing organizations cooperate to audit a single
auditee organization it's called a joint audit.

ISO 19011 2011 should be used by those who carry out

first and second party audits. ISO/IEC 17021 2011 should
be used by those who carry out third party audits.
Auditee

An auditee is an organization (or part of an organization)

that is being audited. Organizations can include companies,
corporations, enterprises, firms, charities, associations,
and institutions. Organizations can be either incorporated or
unincorporated and can be privately or publicly owned.

Auditor

An auditor is a person who carries out audits. Auditors collect

evidence in order to evaluate how well audit criteria are being met.
They must be objective, impartial, independent, and competent.

ISO 19011 distinguishes between internal and external auditors.

Internal auditors perform first party audits while external auditors
perform second and third party audits.

Audit client

An audit client is any person or organization that requests an

audit. Internal audit clients can be either the auditee or audit
program manager whereas external audit clients can include
regulators or customers or any other parties that have a legal
or contractual right or obligation to carry out an audit.

Audit conclusions

Audit conclusions are drawn by the audit team after the audit
has been completed and after audit findings and audit objectives
have been considered. Audit findings result from a process that
evaluates audit evidence and compares it against audit criteria.
Audit criteria

Audit criteria include policies, procedures, and requirements.

Audit evidence is used to determine how well audit criteria are
being met. Audit evidence is used to determine how well policies
are being implemented, how well procedures are being applied,
and how well requirements are being followed.

When requirements are used as audit criteria, auditors often use

the terms conformity and nonconformity to indicate whether or not
requirements are being met. However, when legal requirements are
used as audit criteria, auditors tend to use the terms compliance
and noncompliance (instead of conformity and nonconformity).

Audit evidence

Audit evidence includes records, factual statements, and other

verifiable information that is related to the audit criteria being used.
Audit criteria include policies, procedures, and requirements.

Audit evidence can be either qualitative or quantitative.

Objective evidence is information that shows or proves
that something exists or is true.

Audit findings

Audit findings result from a process that evaluates audit

evidence and compares it against audit criteria. Audit findings
can show that audit criteria are being met (conformity) or that
they are not being met (nonconformity). They can also identify
best practices or improvement opportunities.

Audit evidence includes records, factual statements, and other

verifiable information that is related to the audit criteria being used.
Audit criteria include policies, procedures, and requirements.
Audit plan

An audit plan specifies how you intend to conduct a particular

audit. It describes the activities you intend to carry out in order
to achieve your audit objectives.

An audit is an evidence gathering process. Audit evidence

is used to evaluate how well audit criteria are being met.

Audit program

An audit program (or programme) is a set of arrangements that

are intended to achieve a specific audit purpose within a specific
time frame. It includes all of the activities and resources needed
to plan, organize, and conduct one or more audits.

ISO 19011 expects organizations to appoint audit program

managers. They are responsible for setting objectives, assigning
responsibilities, allocating resources, and monitoring performance.

Audit scope

The scope of an audit is a statement that specifies the focus, extent,

and boundary of a particular audit. The scope can be specified by
defining the physical location of the audit, the organizational units
that will be examined, the processes and activities that will be
included, and the time period that will be covered.

Audit team
An audit team is made up of one or more auditors, one of whom is
appointed to be the audit leader. The audit team may also include
audit trainees.

When necessary, audit teams are also supported by guides and

technical experts. Guides and technical experts assist auditors
but do not themselves act as auditors.

Competence

Competence means being able to apply knowledge and skill

to achieve intended results. Being competent means having the
knowledge and skill that you need and knowing how to apply it.
Being competent means that you know how to do your job.

Conformity

Conformity is the "fulfillment of a requirement". To conform means

to meet or comply with requirements. There are many types
of requirements. There are management system requirements,
customer requirements, contractual requirements, regulatory
requirements, statutory requirements and so on.

Guide

Guides are appointed by auditee organizations to help auditors.

However, they may not influence or interfere with the conduct of
an audit. Guides are expected to identify potential interviewees, to
confirm interview schedules, to arrange access to auditee locations,
and to make sure that auditors and observers are familiar with all
relevant safety and security procedures. They may also be asked
to help auditors collect information and provide clarification.
Management system

A management system is a set of interrelated or interacting

elements that organizations use to establish and implement
policies and set and achieve objectives.

There are many types of management systems. Some of

these include quality management systems, environmental
management systems, emergency management systems, food
safety management systems, occupational health and safety
management systems, information security management
systems, and business continuity management systems.

Nonconformity

Nonconformity is the "non-fulfillment of a requirement". It is a

failure to comply with requirements. A requirement is a need,
expectation, or obligation. It can be stated or implied by an
organization, its customers, or other interested parties.

Observer

Observers accompany auditors and witness audit activities.

However, they're not audit team members and therefore do
not perform audit functions. They may not influence or interfere
with the audit. Observers can represent auditee organizations,
regulators, or any other interested party.

Risk

According to ISO Guide 73, risk is the effect of uncertainty on

objectives and an effect is a positive or negative deviation from
 what is expected. So, risk is the chance that there will be a positive
or negative deviation from the objective you hope to achieve.

Technical expert
Technical experts support audit teams by providing specific
expertise or knowledge about the organization, process, or
activity being audited or about the auditee's language or
culture. They do not act as auditors.

The above definitions are based on ISO 19011 2011, section 3,

Terms and definitions. We've translated these definitions into
Plain English in order to make them easier to understand.

http://www.praxiom.com/19011.htm