7.2 Preparing the Audit Plan, Checklists & Working Documents

Key Takeaways

  • An ISO 19011:2018 audit plan must state objectives, scope, criteria, locations/dates/duration, methods including sampling extent, roles and responsibilities, and resource allocation to critical areas.
  • Risk-based planning directs more time and larger or more targeted samples toward higher-risk processes, consistent with ISO 19011's seventh audit principle.
  • Work assignments consider team-member independence, competence, and the distinct roles of team leaders, auditors, technical experts, and auditors-in-training.
  • Checklists are memory aids, not scripts; working documents must never restrict an auditor from investigating evidence uncovered during the audit.
  • The audit plan must be reviewed and accepted by the audit client and presented to the auditee before the opening meeting.
Last updated: July 2026

Document review tells you what to expect. The audit plan tells the team, the auditee, and the audit client what will actually happen — and the checklists and working documents are what an auditor carries onto the floor. All three deserve the same discipline the standard itself demands of the auditee.

What the Audit Plan Must Cover (Clause 6.3.2)

ISO 19011:2018 expects the audit plan to address:

  • The audit objectives — what the audit is meant to achieve
  • The audit scope, including identification of the organizational and functional units and the processes to be audited
  • The audit criteria — the standard, requirements, and reference documents the audit is measured against
  • Locations, dates, and expected time and duration of on-site audit activities, including planned meetings with the auditee's management
  • The methods to be used, including the extent of audit sampling needed
  • Roles and responsibilities of audit team members and, where relevant, guides and observers
  • Allocation of appropriate resources to the critical areas of the audit

The plan should be reviewed and accepted by the audit client and presented to the auditee, typically before or at the opening meeting. Any auditee objection to the plan should be resolved between the audit team leader, the auditee, and the audit programme manager before the audit proceeds.

Risk-Based Planning

ISO 19011:2018's seventh principle — the risk-based approach — becomes concrete here. The audit programme manager and audit team leader weigh risk when building the plan: the risk that the audit will not achieve its objectives, that access to objective evidence will be restricted, or that a critical process will be under-sampled. A process with a history of nonconformities, a safety-critical operation, or a newly outsourced activity should get more time and a larger or more targeted sample; a stable, well-evidenced area can be sampled more lightly. This is not window dressing — it is the mechanism that keeps a fixed-duration audit, such as a two- or three-day certification surveillance visit, proportionate to what actually matters.

In practice, this means the audit plan is not a single fixed timetable applied identically to every auditee. Two organizations certified to the same clauses of ISO 9001:2015 can receive very different time allocations on the same audit plan template if one has a clean three-year nonconformity history and the other has open corrective actions from its previous surveillance visit. The plan should make that weighting visible — for example, allocating a larger block of on-site time to design and development (Clause 8.3) at an organization that has recently changed its product range, while allocating a lighter, confirmatory pass to a stable, long-certified administrative process.

Work Assignments

The audit team leader assigns each team member responsibility for auditing specific processes, functions, sites, or activities. Assignments take into account the need for independence and competence of team members, the efficient use of resources, and the different roles of team leaders, auditors, technical experts, and auditors-in-training. Assignments can be adjusted during the audit to ensure objectives are still met if circumstances change.

Preparing Working Documents

Clause 6.3.3 covers preparing working documents: checklists, audit sampling plans, and forms for recording information — supporting evidence, audit findings, and meeting records.

Checklists That Don't Become Tick-Boxes

A checklist is a memory aid and a structure, not a script. The moment an auditor works straight down a checklist ticking boxes without follow-up, they have stopped auditing and started performing a paperwork exercise. Effective checklists:

  • Group questions around a process, not just a clause number, so the auditor tracks how the process actually flows end to end
  • Prompt lines of enquiry ("show me evidence that…") rather than yes/no questions
  • Leave room to record what was actually found, not only a pass/fail mark
  • Are treated as a floor, not a ceiling — ISO 19011 explicitly notes that working documents should not restrict additional audit activities or investigation that becomes necessary because of information collected during the audit
Poor checklist useGood checklist use
Auditor reads an item, gets a "yes," ticks the box, moves onAuditor reads an item, asks to see the record, and follows any inconsistency to its source
Every clause gets equal time regardless of riskTime is weighted toward the higher-risk processes identified during planning
Auditor never deviates from the checklist orderAuditor follows the evidence trail even when it interrupts the checklist sequence
The checklist itself is treated as the audit recordThe checklist supports, but never replaces, properly recorded objective evidence

A working document set built this way also protects the audit team leader's own accountability: if a finding is later challenged, the plan and checklist show that the sample was chosen deliberately, based on documented risk factors from Section 7.1's document review, rather than picked arbitrarily on the day.

With the plan finalized, checklists built around risk, and the sampling approach set, the team is ready for the opening meeting — where that plan gets confirmed with the auditee before any evidence is collected.

Test Your Knowledge

Per ISO 19011:2018, which of the following must an audit plan address?

A
B
C
D
Test Your Knowledge

An auditor completes a facility audit by working straight down a generic checklist, ticking each item 'compliant' after a quick glance, and does not follow up when an answer seems inconsistent with the documented procedure. What is the main risk in this approach, per ISO 19011:2018 guidance on working documents?

A
B
C
D