Management System Standard (MSS)
When auditing a Management system standard (MSS), auditors are supposed to verify:
1- The extent of conformity of an established management system (MS) with the audited MSS requirements.
2- The effectiveness of the established MS in achieving its intended results.
Part of the audit process is to prepare an audit plan that the auditor and the auditee will use as a reference to be followed during the audit. The audit plan includes what will be covered during the audit. There is always however a discussion if the audit plan shall be based on processes of the organization being audited or shall it be based on the clauses of the MSS. This also will reflect on how to prepare the audit report. Shall we have an audit report by processes audited or by clauses audited?
If we go back to the two objectives of the audit mentioned above we will realize that we need to ensure that the established MS meets the requirements of the MSS and this can’t be achieved if we don’t audit by clauses of the standard. We also need to verify effectiveness of the established MS in achieving its intended results and this can’t be achieved if we don’t audit by the processes of the organization.
Therefore we have to establish an audit plan that will satisfy both audit objectives and thus we have to be sure that our audit plan does cover at the same time the clauses of the MSS as well as covering the processes of the organization that are linked to the scope of the established MS.
In fact if the audit plan is based only on the clauses of the standard it will run the risk of not auditing all the processes, products and services covered by the scope of the established MS.
Likewise if the audit plan is based only on the processes of the organization it will run the risk of not covering all the clauses of the MSS
Another issue that needs to be taken into consideration when preparing an audit plan (also when writing the audit report) is that some clauses of the MSS are applicable to any process and at the same time they are a process. As an example we can audit clause 7.1.2 (people) at any given process but we also need to audit the people process by itself.
Credit Source: Mr. Mohamad Fawaz, ISO lead auditor, trainer, and risk solutions expert.