The Seven Principles of Auditing & Core Audit Terminology

Key Takeaways

  • ISO 19011:2018 sets out seven audit principles: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach.
  • Risk-based approach is the newest principle, added in the 2018 revision, and shapes how audits and audit programmes are planned, conducted, and reported.
  • Fair presentation requires reporting significant obstacles and unresolved diverging opinions truthfully, not omitting them from the audit report.
  • Audit criteria, audit evidence, audit findings, and audit conclusion form a strict chain: evidence is compared to criteria to produce findings, and findings are synthesized into a conclusion.
  • Independence means internal auditors should not audit their own work, and all auditors must maintain an objective state of mind throughout the audit.
Last updated: July 2026

The Seven Principles of Auditing & Core Audit Terminology

Quick answer: ISO 19011:2018 sets out seven principles that must underpin every management-system audit — integrity, fair presentation, due professional care, confidentiality, and independence (which relate to the auditor as a person), plus an evidence-based approach and a risk-based approach (which relate to the audit process itself). The seventh principle, risk-based approach, is new to the 2018 revision. Every audit finding, evidence item, and conclusion you record as a lead auditor should be traceable back to these principles.

Why the Principles Matter

The seven principles are not abstract ethics statements tacked onto the front of ISO 19011 — they are the operating rules that make an audit's conclusions trustworthy to someone who wasn't in the room. A certification decision, a management review input, or a supplier-approval decision all depend on the audit having been conducted with integrity, evaluated fairly, and supported by verifiable evidence. When an examiner asks you to identify "which principle is violated" in a scenario, they are testing whether you can connect a described behavior back to one specific principle.

The Seven Principles, With Auditor Examples

  1. Integrity — the foundation of professionalism. Auditors work with honesty, diligence, and responsibility; comply with applicable legal requirements; demonstrate competence; act impartially; and stay alert to any influence that might be exerted on their judgement. Example: an auditor who quietly skips a difficult supplier interview because the audit is running late is compromising integrity, not just timekeeping.
  2. Fair presentation — the obligation to report truthfully and accurately. Findings, conclusions, and reports must reflect what actually happened, including any significant obstacles encountered and any unresolved diverging opinions between the audit team and the auditee. Example: if the auditee restricts access to a production area, the report must say so — omitting it would misrepresent the audit's completeness.
  3. Due professional care — applying diligence and sound judgement. Competence in the subject matter gives an auditor the confidence to exercise judgement in situations without a clear-cut answer. Example: recognizing that a missing signature on a record might be a minor administrative slip in one context but evidence of a control failure in another.
  4. Confidentiality — security of information. Auditors exercise discretion in using and protecting information gathered during the audit, and never use it for personal gain or in a way that damages the auditee's legitimate interests. Example: not discussing one client's process details with a competing client, even informally.
  5. Independence — the basis for impartiality and objectivity. Wherever practicable, auditors are independent of the activity being audited and free from bias or conflict of interest. Internal auditors should not audit their own work, and every auditor must maintain an objective state of mind so findings rest on evidence alone. Example: a process owner cannot conduct the internal audit of the process they manage.
  6. Evidence-based approach — the rational method for reaching reliable, reproducible conclusions. Because audits happen in a finite time with finite resources, evidence is necessarily sampled, and the appropriate use of sampling is directly tied to how much confidence can be placed in the conclusion. Example: reviewing a representative sample of calibration records rather than claiming full certainty from three records out of three hundred.
  7. Risk-based approach — added in the 2018 revision. This principle means risk considerations substantively influence how audits are planned, conducted, and reported, so audit effort is directed toward what matters most to the auditee's management system and to the audit client. It also shapes decisions at the audit programme level, such as how frequently a higher-risk site is revisited.

Core Audit Terminology

Four terms form a strict logical chain, and precision matters — the exam frequently tests whether you can tell them apart.

TermDefinitionWhere it fits in the chain
Audit criteriaThe set of policies, procedures, or requirements used as a reference pointThe standard the evidence is compared against (e.g., ISO 9001 Clause 8.5 plus the organization's own procedure)
Audit evidenceRecords, statements of fact, or other information relevant to the criteria and capable of being verifiedWhat the auditor collects on-site
Audit findingsThe results of evaluating collected evidence against the criteriaEvidence + criteria → conformity, nonconformity, or an opportunity for improvement
Audit conclusionThe outcome of the audit, reached after considering the objectives and all the findings togetherThe final synthesis reported to the audit client

Notice the direction of the chain: an auditor gathers evidence, compares that evidence to criteria to produce a finding, and then combines all findings against the audit objectives to reach a conclusion. A common exam trap is describing something as a "finding" when it is really just unevaluated evidence — for instance, noticing that a calibration certificate is missing is evidence; only once it has been compared against the documented-information requirement in Clause 7.5 does it become a finding of nonconformity. Keeping this sequence straight is essential both for the exam and for defensible real-world reporting, and it sets up the terminology you'll use throughout audit planning, evidence collection, and nonconformity writing later in this guide.

Test Your Knowledge

Which audit principle was newly added to ISO 19011 in its 2018 revision?

A
B
C
D
Test Your Knowledge

During a third-party audit, the auditee restricts the team's access to a production area. Which principle specifically requires the audit team to report this obstacle in the audit report rather than leaving it out?

A
B
C
D