IMS Documentation Guide for Audit Program

An ISO audit is carried out to ensure that the existing Management System (MS) complies with the ISO standard of your choice. The audit helps organisations identify and address issues and discover potential improvements with their MS software to ensure that best practice processes are in place. An ISO audit is conducted by referring to an audit program that outlines the standard's clauses through periodic reviews.

The ISO requirements for the audit program is that you plan, establish, implement, and maintain an audit program, meaning that you need to have an ongoing program in effect.

The guidance includes what audit you need to conduct based on the ISO standard of choice, including timeframes, responsibilities, and results.


Responsibility for planning and conducting internal audits shall be allocated to an impartial auditor from the process/area being audited and competent based on training and experience. 

Management system processes are reviewed, and an annual Internal Audit Programme is planned (located on the Toolbox). 

The programme shall define activities to be audited and within which month(s) the audits are due.  Each relevant activity shall be audited every calendar year; however, complex, critical, or uncertain areas may be subject to more frequent audits and greater depth of investigation. 

Risk has been appointed through discussions with senior management. Areas identified* as high risk will be audited more frequently.  Medium risk areas will be audited a minimum of annually.  Low-risk areas will be audited on a biennial basis. 

Risk will be addressed more frequently through the management review process if required. The raising of a non-Compliant issue, through the internal or external audit process, will initiate a review of the individual risk. Other factors that could lead to a change in the risk rating include but are not limited to; statutory & regulatory compliance issues, complaints from stakeholders, issues identified through the management review and the risk register. 

The internal audit programme is embedded in the MS (Management System) Toolbox.



Nonconformity: A situation that has failed to meet planned arrangements or requirements.

Complaint: One of the above is identified/reported by an external party, such as a customer.

Rectification: Steps taken to rectify/resolve one of the above.

Corrective Action: Steps [to be] taken to avoid or mitigate the event’s recurrence.

Risk Mitigation: actions taken to eliminate the cause of or control nonconformities which may arise”.  


This procedure sets out how The Organisation detects and treats nonconformities and improves quality, H&S, Information Security and environmental issues.


All Incidents, non-conformities, complaints, etc., are collectively referred to as ‘Incidents’ shall be reported to management upon identification and details recorded onto an Issue Log or the Supplier Performance Indicator.

It is the responsibility of all individuals conducting work on behalf of the organisation to report all accidents and Incidents, as these are improvement opportunities.  Management’s responsibility is to record the event, investigate the cause, ensure rectification, and implement appropriate corrective actions. 


The organisation has addressed the controls required to ensure that any products that do not conform to requirements are identified and controlled to prevent unintended use or delivery. 


Management shall consider identified incidents to clarify the direct and root cause.  Steps taken, or to be taken, to rectify and resolve the situation shall be established and implemented.  If the Incident involves an external party, such as a customer, clear communication relating to the response shall be ensured.  If the Incident may be batch-related, potentially affecting other situations/locations/clients, the need to intervene must be considered if a similar issue could arise elsewhere.  Instruction shall be given regarding the disposition of Nonconforming Products and recorded appropriately. 


Following rectification of the individual incident (i.e. addressing the problem), management must then consider what Corrective Actions are necessary to avoid the recurrence of (or mitigate the effect of) a similar incident in the future (i.e. addressing the cause).  This may be appropriate at the time of the incident and strategically within periodic reviews. 

An annual management system review is carried out.  This review will re-assess all Incidents recorded within that period, identifying any trends or recurring problems and verifying whether ‘corrective actions which have been established have effectively addressed the causes of pain and avoided/mitigated recurrence. All these activities are recorded in the dedicated section of the MS (Management System) Toolbox tool.

View this step as an implementation guide

step 10 - AUDIT PROGRAM 
all documentation guides

Documentation Guides

Request a Demo

If you would like a demo of the ISOvA (Risk Compliance Software and) Integrated Management System (IMS) software fill out our form below:

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.