Implementing, Monitoring, Reviewing & Improving the Audit Programme

Key Takeaways

  • Implementing an audit programme means defining each audit's objectives, scope, and criteria, selecting methods and team, assigning responsibility to a team leader, and managing outcomes and records.
  • A technical expert provides specific knowledge to the audit team but does not act as an auditor; observers and auditors-in-training accompany the team without auditing.
  • Monitoring the programme evaluates whether schedule and timing objectives are being met, team performance, and feedback from auditees and other interested parties across completed audits.
  • Reviewing and improving the programme happens at planned intervals and can trigger changes to its extent, resources, competence requirements, or objectives.
  • The implement-monitor-review-improve cycle for an audit programme mirrors the Plan-Do-Check-Act logic that runs through ISO 9001 itself.
Last updated: July 2026

Implementing, Monitoring, Reviewing & Improving the Audit Programme

Quick answer: Once an audit programme is established, ISO 19011:2018 Clause 5.6 covers implementing it — defining each individual audit's objectives, scope, and criteria; choosing methods; selecting the team; and managing the outcome and records — while Clause 5.7 covers monitoring, reviewing, and improving the programme over time so it keeps delivering credible results and adapts as the organization's needs change.

Implementing the Audit Programme

Implementation turns the programme-level decisions from the previous section into a specific, executable audit. It has several distinct activities, and understanding the order they typically occur in — objectives and scope first, then method, then team, then responsibility, then outcome management — helps keep the exam's process-sequencing questions straight.

Defining objectives, scope, and criteria for each audit. While the audit programme has overall objectives, every individual audit within it needs its own objectives, scope (the physical locations, organizational units, activities, and time period covered), and criteria (the specific clauses and documented requirements the evidence will be measured against), all derived from — and consistent with — the programme objectives.

Selecting and determining audit methods. Audits can be conducted on-site, remotely, or as a combination of both. Remote methods include interactive activities such as video-conferenced interviews and non-interactive activities such as remote review of documented information. The method chosen affects the degree of direct interaction between auditor and auditee, and the audit plan should be explicit about which method applies to which part of the audit.

Selecting the audit team. The programme manager assigns individuals whose combined competence is sufficient to achieve the audit's objectives. A team can include:

RoleFunction
Audit team leaderHolds overall responsibility for the audit and its conduct
Auditor(s)Perform the audit, individually or as part of a team
Technical expertProvides specific knowledge or expertise to the team but does not act as an auditor
ObserverAccompanies the team but does not audit (e.g., a regulator or a trainee who has not yet completed evaluation)
Auditor-in-trainingGains supervised audit experience toward full auditor competence

Assigning responsibility for the individual audit. The programme manager formally assigns responsibility for a given audit to a team leader, who then directs planning, conducting, and reporting on that specific audit. If circumstances change significantly during the audit — for example, information surfaces suggesting fraud, or the auditee's safety practices put the team at risk — the team leader has the authority to stop the audit, and to change the audit plan itself, reporting the reasons to the programme manager and the audit client.

Managing the audit programme outcome. As individual audits are completed, the programme manager (or someone with delegated authority) reviews and approves audit reports for completeness and quality, ensures they are distributed to the appropriate audit client and other relevant recipients, and determines whether follow-up action is necessary before the audit can be closed out.

Managing and maintaining audit programme records. Records generated by the programme fall into three broad groups: records relating to individual audits (plans, reports, nonconformity reports, corrective action reports, and follow-up reports); records of the audit programme review; and records related to audit personnel — competence evaluations, performance, team-selection decisions, and training completed.

Monitoring the Audit Programme

Monitoring is an ongoing activity, distinct from the one-time act of implementing a given audit. The person managing the programme evaluates, across the audits completed so far:

  • whether the schedule and timing objectives of the programme are being met;
  • the performance of audit team members, including team leaders;
  • the ability of audit teams to implement the audit plan effectively;
  • feedback from top management, auditees, auditors, and other relevant interested parties; and
  • the adequacy and completeness of audit programme records.

Monitoring feeds directly into whether the programme needs to change mid-cycle — for example, if feedback repeatedly flags that audits are running short of their allotted time, that signals either the scope was underestimated or the team's competence needs adjustment.

Reviewing and Improving the Programme

At planned intervals, the programme manager reviews the audit programme as a whole to confirm whether its objectives have been achieved and to identify opportunities for improvement. A review typically considers the results and trends from monitoring, the continuing suitability of the programme's procedures, emerging needs and expectations of interested parties, programme records, alternative or new audit methods, the effectiveness of measures taken to address programme risks, and confidentiality and information-security issues relating to the programme.

The outcome of this review is used to drive changes — to the extent of the programme, to resource allocation, to competence requirements for auditors, or to the objectives themselves — closing the loop back to Step 1 of establishing the programme. This mirrors the Plan-Do-Check-Act logic that runs through the whole of ISO 9001: the programme is planned, implemented, monitored, and then deliberately improved, rather than simply repeated unchanged year after year. For a lead auditor, recognizing that the audit programme itself is subject to continual improvement — not just the management systems it audits — is a frequently tested distinction on the exam.

Test Your Knowledge

How does a 'technical expert' on an audit team differ from an auditor, as defined in ISO 19011?

A
B
C
D
Test Your Knowledge

Which activity belongs to MONITORING an audit programme rather than implementing an individual audit within it?

A
B
C
D