What is meant by the Audit Objective, Scope and Criteria?
Updated: Jul 11, 2019
In this blog you will learn how to define a clear and concise audit objective, scope and criteria. As a result, you will be able to communicate those to all parties involved in the audit process.
I’ve mentioned before that ISO have published a guidance standard on practices of effective auditing. In this standard, you will see the terms audit objective, scope and criteria.
What is the audit objective?
The audit objective really means the purpose or the goal for this particular audit.
A really simple way to write that (or put it together) is just express it in plain business language…
What are we trying to achieve by doing this audit? What is the aim? What are we doing it for?
One little tip here, if we’re not sure and we have to be auditing against a particular procedure or work instruction, look at the stated purpose of that procedure. Very often, we can turn that into our objective as well.
Keep in mind that we are going to communicate our objective, scope and criteria – and most often we communicate that to our auditees ahead of time.
So, if we are going to do an internal audit, you can define these terms, get in contact with the team you are going to audit. Ensure it makes sense to them.
It is important that they understand why you are coming, what you are covering and what you are auditing against.
What is the audit scope?
The big tip when defining this is to be as specific as possible, by stating when the audit will start and when it will end.
It's saying “for the audit I’m planning to do in a week, where exactly am I meant to start auditing, and where exactly am I meant to stop auditing?”
As an example from the video… Looking at a couple of our operational processes; one could be production and one could be a dispatch process – am I there to audit both of them? Or alternatively, is it just the production process that needs to be audited? Or, is it even a subset (not the full production process) just the first few steps?
That is what you need to outline in the scope.
Again, if we are at an organisation with multiple sites, let’s make it as specific as possible. One site might have lots of different departments and teams undertaking lots of different processes – and it is quite likely we are not there to audit ALL of those things.
You can put some boundaries around your audit by time as well. We might say we’re going to come and audit the safety induction processes at a specific site that have been applied over the last 12 months.
Fundamentally, this is stating where you start auditing, and where you stop.
I’ll give you a ridiculous example about scope – If you asked me to audit Australian Defense Force with 50,000 staff and multiple sites and the scope was too broad, “Andrew, conduct an audit in defense”… You’re never going to see me again. It would take me 50 years to finish it. We must put some boundaries so the auditee and auditor are very clear on what we’re covering.
What is the audit criteria?
You can use this word interchangeably with requirements.
By definition, for an audit, there must be some pre-established criteria or requirements for us to audit against.
If the requirements are neatly defined for us in a procedure or work instruction, that’s great. But, there can be requirements that we have to audit that aren’t defined for us in a nice procedure to follow. We are going to explore this idea further in a later blog.
It is not technically an audit if there is no requirements to audit against. I’m not being sent out there to give my opinion on what I think should be happening, and how that process should be conducted. I am going to be looking at the pre-established requirements.
I need to have an understanding of these pre-established requirements before the audit so that I can conduct it effectively.
I’ll give you one example of that from some environment safety work that I did at a Ski resort in Victoria not long ago...
I had a customer come to me and ask “Andrew can you come and do an environmental audit?” I had one at a Ski resort in Victoria not long ago.
The first thing I replied was “that’s great I’m happy to do that, but what am I meant to audit against?”
And their answer was “Oh no, we want you to come and tell us what our environmental impacts are.”
That’s fine, but that is a different tool. It is not an audit process, it is an environmental assessment.
You have to understand that there must be some criteria or requirements in order for it to be considered an audit.
1. Objective = the purpose of the audit (what you are trying to achieve by doing the audit, what is the aim?)
2. Scope = Where you are going to start and stop the audit. (this can be broken into the processes you are auditing, or time-bound)
3. Criteria = the requirements to audit against.
A big tip with any of these (objective, scope, criteria) is that if we are not sure what they are, seek some guidance from your compliance manager or someone like that BEFORE you start the audit. This will ensure that everyone is on the same page, and the audit runs as smoothly as possible.
On our Resources page, you can download examples of documented objective, scope and criteria.
In our next blog, we are going to look at why you need an Audit Plan, and if this is always needed.