7.1 Initiating the Audit & Reviewing Documented Information
Key Takeaways
- Establishing contact with the auditee confirms communication channels, authority, proposed dates, scope, confidentiality, and access before any on-site activity begins.
- Feasibility depends on sufficient information, adequate auditee cooperation, and adequate time and resources; the audit team leader escalates gaps to the audit programme manager.
- Reviewing documented information before the audit checks whether the described system appears to conform to the audit criteria and shapes what to sample on-site.
- In third-party certification under ISO/IEC 17021-1, this document review is formalized as the stage 1 audit, which evaluates readiness for stage 2.
- Depth of document review should scale with the auditee's size, nature, and complexity, and can be combined with the on-site visit for very small organizations.
The moment an audit programme manager assigns you to lead an audit, the clock starts — but not on on-site activity. Two steps happen first: establishing contact with the auditee and reviewing what they've already documented. Skipping or rushing either one is where audits go wrong before an auditor ever sets foot on-site.
Establishing Contact with the Auditee (ISO 19011:2018 Clause 6.2.2)
As audit team leader — or, on a small internal programme, the audit programme manager acting for the team — your first formal act is establishing contact with the auditee's management. This is not a courtesy call; it is used to:
- Confirm the communication channels with the auditee's representatives
- Provide the audit team's authority to conduct the audit (especially important for third-party/certification audits, where authority flows from the accredited certification body)
- Give advance notice of the proposed dates, the audit team's composition, and any external participants (e.g., an auditor-in-training or a technical expert)
- Request access to relevant documented information, including records
- Determine applicable statutory, regulatory, and contractual requirements relevant to the auditee's activities and products
- Confirm the audit scope as communicated to the auditee
- Determine confidentiality requirements
- Arrange logistics — site access, safety/security arrangements, and, where the audit will include them, the participation of observers or guides
For a first-party (internal) audit inside an organization with a mature internal-audit programme, this step can be brief — an email confirming dates and scope. For second- and third-party audits it is more formal and usually confirmed in writing, because the auditee may not know the auditor and needs assurance that the audit is properly authorized. Combined audits (two or more management systems audited together, e.g., quality and environmental) and joint audits (two or more audit organizations auditing the same auditee together) both need this contact step handled with extra care, since scope, criteria, and reporting arrangements have to be agreed for every system or organization involved before dates are locked in.
Determining Feasibility
ISO 19011:2018 requires the audit team leader to determine whether the audit is feasible before committing resources to it. Feasibility rests on three things being available in sufficient measure:
- Sufficient and appropriate information to plan the audit
- Adequate cooperation from the auditee — access to people, facilities, records, and information
- Adequate time and resources to carry out the audit properly
If any of these is missing — key personnel are unavailable for the whole audit window, or documentation for an in-scope process simply does not yet exist — the audit team leader reports this to the audit programme manager. Where feasibility cannot be resolved as planned, an alternative should be proposed to the audit programme manager, in consultation with the auditee, before the audit proceeds: rescheduling, adjusting scope, or splitting the visit are typical outcomes.
Reviewing Documented Information Before the Audit (Clause 6.3.1)
Before any on-site activity, the auditor reviews the auditee's relevant documented information — quality policy statements, procedures, process maps, previous internal- and external-audit reports, and applicable records — to gather information supporting the planned audit activities and to establish, as far as documentation allows, whether the described system appears to conform to the audit criteria without significant gaps.
| What's reviewed | Why it matters for planning |
|---|---|
| Quality policy & objectives | Confirms scope and top-management intent align with the claimed certification scope |
| Process documentation / procedures | Identifies which processes and interfaces to sample on-site |
| Previous audit reports (internal + external) | Flags recurring nonconformities or areas needing re-verification |
| Organizational chart / responsibilities | Shapes who to interview and when |
| Legal/regulatory register | Confirms applicable requirements the audit criteria must reflect |
The depth of this review should reflect the size, nature, and complexity of the auditee and the audit's objectives and scope. For a very small organization, or where documentation is minimal, the review can be combined with the on-site visit rather than performed as a separate desk exercise — but it must still happen before conclusions are drawn.
Stage 1 Readiness Review (Third-Party Certification)
In an ISO/IEC 17021-1 certification context, this document-review step is formalized as the stage 1 audit. Its purpose goes beyond a desk check: it evaluates the auditee's management-system documentation, evaluates site-specific conditions, confirms the auditee understands the requirements of the standard, and reviews the status and understanding of QMS implementation — including whether internal audits and management review are being planned and performed, and whether the level of implementation confirms readiness for stage 2.
Stage 1 findings directly shape the stage 2 audit plan: they focus stage 2 resources on higher-risk areas, confirm resource allocation is adequate, and, where readiness is insufficient, can result in stage 2 being deferred. That link — from "what we found reviewing documents" to "how we plan the on-site audit" — is exactly where Section 7.2 picks up.
Why Initiating and Reviewing Matter Beyond the Paperwork
It is tempting to treat contact-making and document review as administrative overhead that happens before the "real" audit starts on-site. On the CQI/IRCA syllabus, and in practice, they are not separable from audit quality. An auditor who skips or rushes document review arrives on-site without a map: they don't know which processes interact, which requirements are likely to be weakly evidenced, or where a previous audit already flagged a recurring problem. That auditor ends up spending scarce on-site time re-discovering things a thirty-minute desk review would have surfaced, and the risk-based sampling decisions covered in Section 7.2 have nothing solid to be based on. Getting initiation and document review right is what makes everything that follows — the plan, the checklist, the sample, the findings — defensible rather than improvised.
During the initiating phase of a third-party audit, the audit team leader learns that the auditee's top management will be unavailable for the entire proposed audit week and that key records will be inaccessible until a system migration is finished. What should the audit team leader do?