SW
Swedwise
[User Login]
← Back to IMS Documents
DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-PRO-003

Internal Audit Procedure

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

Internal Audit Procedure

Document ID: SW-IMS-PRO-003-v1.0
Effective Date: [TBD]
Review Date: [TBD]
Owner: IMS Owner
Approved by: [TBD]

1. Purpose

This procedure establishes a systematic approach for planning, conducting, reporting, and following up on internal audits of Swedwise's Integrated Management System (IMS). The purpose is to:

  • Verify the IMS conforms to ISO 9001, ISO 14001, and ISO 27001 requirements
  • Confirm the IMS is effectively implemented and maintained
  • Identify opportunities for improvement
  • Provide objective evidence of system performance
  • Prepare for external certification audits
  • Support management decision-making

Internal audits are a key tool for continuous improvement and are conducted with objectivity and independence.

2. Scope

This procedure applies to all internal audits of:

  • Quality Management System (ISO 9001) processes
  • Environmental Management System (ISO 14001) processes
  • Information Security Management System (ISO 27001) processes
  • Integrated management system documentation and records
  • All Swedwise locations (Karlstad HQ, Stockholm, Uddevalla)
  • All organizational units and departments
  • SaaS service operations

The procedure covers planning, conducting, reporting, and closing audits. It does not cover external audits conducted by certification bodies or customers.

3. Definitions

Term Definition
Internal Audit Systematic, independent examination to determine whether activities and results conform to planned arrangements and are effective.
Audit Program Annual or multi-year plan defining when and what will be audited.
Audit Plan Specific plan for an individual audit, including scope, schedule, and auditors.
Audit Scope Extent and boundaries of the audit (processes, locations, requirements covered).
Audit Criteria Set of requirements against which audit evidence is evaluated (ISO standards, policies, procedures).
Audit Evidence Records, statements of fact, or other verifiable information relevant to audit criteria.
Audit Finding Result of evaluating collected audit evidence against criteria. Can be conformity, nonconformity, or observation.
Conformity Fulfillment of a requirement.
Nonconformity Non-fulfillment of a requirement. Classified as Major or Minor.
Observation Noted issue that doesn't constitute nonconformity but indicates potential for improvement or future risk.
Major Nonconformity Absence or total breakdown of a system requirement; multiple related minor nonconformities indicating systemic failure.
Minor Nonconformity Isolated lapse or deviation that doesn't compromise the system's overall effectiveness.
Auditor Person qualified and assigned to conduct audits.
Auditee Person or department being audited.
Lead Auditor Auditor responsible for managing an audit.
Audit Team One or more auditors conducting an audit, with one designated as Lead Auditor.
Corrective Action Action to eliminate the cause of a detected nonconformity and prevent recurrence.

4. Audit Principles

Swedwise's internal audits are conducted according to these principles:

Principle Description
Integrity Auditors act ethically, honestly, and responsibly.
Fair Presentation Audit findings, conclusions, and reports are accurate, truthful, and complete.
Due Professional Care Auditors exercise diligence and judgment during the audit.
Independence Auditors are objective and free from conflicts of interest. Auditors do not audit their own work.
Evidence-Based Findings are based on verifiable information, not assumptions.
Risk-Based Audit focus prioritizes higher-risk areas and critical processes.

5. Auditor Competence and Independence

5.1 Auditor Requirements

Internal auditors must:

  • Understand ISO 9001, ISO 14001, and ISO 27001 requirements relevant to areas they audit
  • Have completed internal auditor training (minimum 1-day course or equivalent)
  • Possess knowledge of audit principles, processes, and techniques
  • Understand Swedwise's operations, context, and processes
  • Demonstrate objectivity, professional behavior, and communication skills

Recommended training:

  • ISO 19011 auditing guidelines
  • Lead Auditor training for relevant standards
  • Industry-specific training (IT consulting, SaaS operations)

5.2 Auditor Independence

Independence requirements:

  • Auditors shall not audit their own work or areas of direct responsibility
  • Auditors shall be free from bias and conflicts of interest
  • Auditors report audit findings objectively, without external pressure

For small organizations like Swedwise (35 employees):

  • Primary approach: Use cross-functional audits where staff audit areas outside their department
    • Example: Customer Success staff audits IT operations; IT staff audits sales processes
  • Alternative: Engage external auditors for areas where independence cannot be maintained
  • IMS Owner: May conduct audits but cannot audit document control or overall IMS implementation (requires external auditor)

5.3 Auditor Assignment

Audit Area Preferred Auditor Profile Independence Requirement
Quality / Customer processes Staff from non-customer-facing functions Not directly responsible for customer delivery
Environmental aspects Staff not responsible for procurement/facilities Not responsible for travel or energy decisions
Information security Staff with IT/security knowledge from non-IT units Not responsible for security controls being audited
SaaS operations Staff not involved in SaaS service delivery Not part of SaaS operations team
Management processes Department heads auditing other departments Not auditing own department

5.4 Auditor Qualification Records

The IMS Owner maintains records of:

  • Auditor training certificates
  • Audit experience log (audits conducted, dates, scope)
  • Competence assessments
  • Annual refresher training

Minimum audit frequency per auditor: At least one audit per year to maintain competence.

6. Audit Program Planning

6.1 Annual Audit Program

The IMS Owner prepares an annual audit program (or multi-year program) considering:

Risk-Based Prioritization:

  • Results from risk assessments (SW-IMS-PRO-002)
  • Critical processes for customer satisfaction
  • Significant environmental aspects
  • High-risk information security areas
  • Areas with previous nonconformities or audit findings
  • New processes, services, or changes
  • Regulatory or customer requirements

ISO Requirements:

  • All IMS processes audited at least once per audit cycle (typically annually)
  • Higher-risk areas audited more frequently (e.g., semi-annually or quarterly)
  • All three management systems (QMS, EMS, ISMS) adequately covered

Organizational Context:

  • All three locations (Karlstad, Stockholm, Uddevalla)
  • Key organizational units (Customer Acquisition, Customer Success, Resource Management, etc.)
  • Support functions (HR, finance, IT)
  • SaaS service operations

Practical Considerations:

  • Staff availability (avoid peak project periods)
  • Seasonal variations (travel patterns, customer activity)
  • Certification audit schedule (ensure coverage before external audits)

6.2 Audit Program Template

Audit # Audit Scope ISO Standard(s) Risk Level Location Scheduled Date Auditor(s) Status
A-2025-01 Document control, records management ISO 9001, ISO 14001, ISO 27001 Medium Karlstad HQ Q1 2025 [Name] Planned
A-2025-02 Information security controls, access management ISO 27001 High All locations Q2 2025 [Name] Planned
A-2025-03 Environmental aspects, energy use, travel ISO 14001 Medium All locations Q2 2025 [Name] Planned
A-2025-04 Customer delivery, project management ISO 9001 High Karlstad, customer sites Q3 2025 [Name] Planned
A-2025-05 SaaS operations, incident management, monitoring ISO 9001, ISO 27001 High Karlstad (operations) Q3 2025 [Name] Planned
A-2025-06 Supplier management, procurement ISO 9001, ISO 14001 Medium Karlstad HQ Q4 2025 [Name] Planned

Audit frequency targets:

  • High-risk areas: Semi-annually or more frequently
  • Medium-risk areas: Annually
  • Low-risk areas: Annually or every 18 months

Program review: The audit program is reviewed quarterly and adjusted based on:

  • Changes in organizational risk profile
  • Incidents, nonconformities, or customer complaints
  • Organizational changes (new services, locations, staff)
  • Management requests or external audit findings

6.3 Approval and Communication

  1. IMS Owner drafts annual audit program
  2. Management Team reviews and approves program
  3. Audit program communicated to all department heads
  4. Individual audit schedules confirmed with auditees at least 2 weeks in advance

7. Audit Planning (Individual Audit)

7.1 Audit Initiation

For each planned audit:

  1. Assign audit team: Lead Auditor and supporting auditors (if needed)
  2. Confirm independence: Verify no conflicts of interest
  3. Notify auditee: Minimum 2 weeks advance notice (unless unannounced audit is justified)
  4. Define audit scope: Specific processes, locations, standards, and time period

7.2 Audit Plan Development

The Lead Auditor prepares an audit plan including:

Section Details
Audit Objective Purpose of the audit (e.g., "Verify conformity of information security controls to ISO 27001 requirements")
Audit Scope Processes, locations, departments included/excluded
Audit Criteria ISO requirements, internal policies/procedures, legal requirements
Audit Schedule Date, time, duration, and sequence of activities
Audit Team Lead Auditor, supporting auditors, technical experts (if needed)
Auditees Key personnel to be interviewed
Documents to Review Policies, procedures, records, logs, evidence required
Resources Needed Meeting rooms, access to systems, sample records

Example Audit Schedule:

Time Activity Auditee Process/Area
09:00-09:15 Opening meeting Department Head, team Objectives, scope, logistics
09:15-10:00 Document review IMS Owner Policy, procedure adequacy
10:00-11:00 Interviews Staff members Process understanding, conformity
11:00-12:00 Evidence review Process owners Records, logs, reports
12:00-13:00 Lunch break - -
13:00-14:00 Observations Staff Work practices, physical controls
14:00-15:00 Follow-up questions Selected staff Clarifications, additional evidence
15:00-15:30 Audit team debrief Audit team only Findings review, prepare report
15:30-16:00 Closing meeting Department Head, team Present findings, next steps

7.3 Audit Preparation

Lead Auditor preparation:

  • Review relevant IMS documentation (policies, procedures)
  • Review previous audit reports and nonconformities for the area
  • Review risk register entries related to audit scope
  • Prepare audit checklists or question guides
  • Identify sampling approach for records review
  • Coordinate logistics with auditee

Auditee preparation:

  • Ensure relevant staff are available
  • Prepare workspace and access to systems/documents
  • Gather requested records and evidence
  • Brief staff on audit process and expectations

8. Conducting the Audit

8.1 Opening Meeting

Attendees: Audit team, auditees, relevant managers

Agenda (15-30 minutes):

  1. Introductions
  2. Confirm audit objective, scope, and criteria
  3. Review audit schedule and logistics
  4. Explain audit method (interviews, document review, observations)
  5. Clarify confidentiality and reporting
  6. Agree on closing meeting time
  7. Address questions or concerns

Tone: Professional, collaborative, not adversarial. Emphasize audit as improvement opportunity.

8.2 Gathering Audit Evidence

Methods:

Method Description Use For
Interviews Structured questions to staff Understanding processes, roles, awareness
Document Review Examination of policies, procedures, work instructions Adequacy and currency of documented information
Record Review Sampling and verification of records Evidence of conformity and effectiveness
Observations Watching activities and inspecting facilities Actual practices vs. documented procedures
Testing Performing process steps or system checks Verifying controls function as intended

Evidence characteristics:

  • Verifiable: Can be confirmed through independent sources
  • Relevant: Directly related to audit criteria
  • Sufficient: Enough to support findings
  • Current: Reflects current situation

Sampling approach:

  • For small organizations like Swedwise, audit depth is more important than breadth
  • Sample size depends on process complexity and risk level
  • Example: Review 5-10 recent records; interview 3-5 staff members per process

Good audit questions (open-ended):

  • "Can you walk me through how you handle [process]?"
  • "What do you do if [exception situation] occurs?"
  • "Where do you record [activity]?"
  • "How do you know if [control] is working?"
  • "What training have you received on [procedure]?"

8.3 Note-Taking and Documentation

Auditors document:

  • What was examined (documents, records, observations)
  • Who was interviewed
  • Evidence of conformity or nonconformity
  • Objective facts, not opinions or assumptions

During the audit:

  • Take clear, factual notes
  • Note reference numbers of documents/records reviewed
  • Timestamp observations
  • Collect evidence (take photos if permitted, copy record numbers)

8.4 Evaluating Findings

For each audit criterion, determine:

Conformity: Requirement is met; evidence demonstrates effective implementation

  • Example: "Training records confirm all staff completed security awareness training within the last 12 months (requirement: annually)."

Minor Nonconformity: Isolated deviation; doesn't compromise overall system effectiveness

  • Example: "One employee's training record is missing completion date (3 of 4 records complete)."

Major Nonconformity: Systemic failure or complete absence of a requirement

  • Example: "No evidence of risk assessments conducted in the past 18 months (requirement: annual)."
  • Example: "Five out of six sampled access reviews not performed (systemic failure)."

Observation: Not a nonconformity but indicates potential risk or improvement opportunity

  • Example: "Backup logs are not centrally stored, making review difficult. Consider consolidating for easier monitoring."

Best Practice / Positive Finding: Noteworthy good practice worth sharing

  • Example: "Customer Success team has implemented a proactive check-in process exceeding minimum requirements, resulting in high satisfaction."

8.5 Handling Challenges During Audits

Situation Auditor Response
Auditee unavailable Reschedule portion of audit or interview alternate staff member
Evidence not available Note in audit report; may constitute nonconformity if evidence is required
Auditee defensive or uncooperative Remain professional; focus on facts; escalate to manager if needed
Process not documented Determine if documentation is required by standards; may be nonconformity
Urgent incident during audit Pause audit if necessary; reschedule if auditee needs to respond to incident
Disagreement on finding Document both perspectives; Lead Auditor makes final determination; auditee can appeal in corrective action phase

8.6 Audit Team Debrief

Before closing meeting, audit team:

  • Reviews all findings
  • Classifies findings (conformity, minor/major nonconformity, observation)
  • Ensures findings are fact-based and well-supported
  • Identifies positive findings and improvement opportunities
  • Prepares closing meeting presentation

9. Closing Meeting

Attendees: Same as opening meeting

Agenda (30-45 minutes):

  1. Thank auditees for cooperation
  2. Restate audit scope and criteria
  3. Present findings:
    • Conformities and positive findings
    • Observations
    • Nonconformities (minor and major)
  4. Explain findings clearly with supporting evidence
  5. Clarify corrective action requirements and timeline
  6. Address questions (but don't negotiate findings)
  7. Confirm distribution of audit report
  8. Close professionally

Tone: Balanced, constructive, focused on improvement. Recognize good practices as well as identifying issues.

10. Audit Reporting

10.1 Audit Report Contents

The Lead Auditor prepares a written audit report within 5 working days of audit completion, including:

Section Details
Audit Information Audit ID, date, location, auditors, auditees
Audit Objective and Scope Purpose, processes audited, standards
Audit Criteria ISO requirements, policies, procedures used
Executive Summary Overall conclusion, key highlights
Conformities Areas where requirements are met
Positive Findings Examples of good practices
Observations Improvement opportunities (not nonconformities)
Nonconformities Detailed findings with evidence
Recommendations Suggested improvements
Audit Conclusion Overall system effectiveness assessment

10.2 Nonconformity Reporting Format

Each nonconformity clearly states:

Nonconformity ID: NC-[Audit ID]-[Number]

  • Example: NC-A2025-02-001

Classification: Major or Minor

Requirement: Specific ISO clause, policy, or procedure violated

Evidence: Objective facts supporting the finding

  • Example: "Review of access logs for Q1 2025 showed no evidence of quarterly access reviews (sampled 6 user accounts). Procedure SW-ISMS-PRO-001 Section 4.3 requires quarterly reviews."

Potential Impact: Consequences if not corrected

  • Example: "Risk of unauthorized access remaining undetected; non-compliance with ISO 27001 A.5.18."

Required Action: What needs to be corrected

10.3 Report Distribution

Audit reports are distributed to:

  • Auditee (department head or process owner)
  • Management Team
  • IMS Owner
  • Relevant managers of audited areas

Confidentiality: Audit reports are classified as Internal and should not be shared outside Swedwise without approval.

Retention: Audit reports retained for 7 years (ISO certification requirement).

11. Corrective Action and Follow-Up

11.1 Corrective Action Requirements

For each nonconformity, the auditee must:

  1. Immediate Correction (if applicable): Fix the specific instance

    • Example: Complete the missing training record

  2. Root Cause Analysis: Determine why the nonconformity occurred

    • Use techniques like 5 Whys, fishbone diagram, or simple analysis
    • Example: "Training completion was not tracked in central system; relied on individual memory."

  3. Corrective Action Plan: Prevent recurrence

    • Address the root cause
    • Define specific actions, responsibilities, and deadlines
    • Example: "Implement automated training tracking in HRIS; assign HR Owner; complete by [date]."

  4. Verification of Effectiveness: Demonstrate the issue is resolved

    • Provide evidence that corrective action works
    • Example: "Provide screenshot of HRIS showing all staff training status; conduct spot-check in 3 months."

Timeline:

  • Major nonconformities: Corrective action plan within 2 weeks; implementation within 30 days (or as agreed)
  • Minor nonconformities: Corrective action plan within 4 weeks; implementation within 60 days
  • Extensions may be granted by IMS Owner if justified

Template: Use SW-IMS-FRM-005 Corrective Action Request (CAR) form

11.2 Observations Follow-Up

Observations do not require formal corrective action but should be:

  • Reviewed by process owner
  • Considered for improvement initiatives
  • Addressed if resources and priorities allow

11.3 Verification of Corrective Actions

The IMS Owner (or assigned auditor) verifies corrective actions by:

  1. Document Review: Examine evidence provided (updated procedures, completed records, photos, etc.)
  2. Follow-up Audit (if needed): Conduct targeted audit to verify implementation
    • Required for major nonconformities
    • Optional for minor nonconformities if evidence is clear
  3. Effectiveness Check: Confirm corrective action addresses root cause and prevents recurrence
    • May be scheduled 3-6 months after implementation to assess sustained effectiveness

Verification outcomes:

  • Closed: Corrective action is adequate and effective; nonconformity resolved
  • Pending: Corrective action in progress; partial completion; remains open
  • Reopened: Corrective action inadequate or ineffective; requires rework

11.4 Escalation

If corrective actions are not completed within agreed timelines or are repeatedly ineffective:

  • IMS Owner escalates to Management Team
  • Management Team may allocate additional resources or adjust priorities
  • Persistent nonconformities are flagged for Management Review (SW-IMS-PRO-004)

12. Roles and Responsibilities

Role Responsibilities
Management Team - Approve annual audit program
- Allocate resources for audits and corrective actions
- Review audit results in management reviews
- Ensure independence and objectivity of audit process
- Support corrective action implementation
IMS Owner - Develop and maintain annual audit program
- Assign and schedule auditors
- Maintain auditor competence records
- Monitor audit completion and report quality
- Track corrective actions to closure
- Escalate overdue or ineffective corrective actions
- Maintain audit records and reports
- Coordinate with external auditors
Lead Auditor - Prepare audit plan
- Conduct opening and closing meetings
- Manage audit team and schedule
- Evaluate audit evidence and determine findings
- Prepare and issue audit report
- Support corrective action verification
Auditors - Conduct audit activities (interviews, reviews, observations)
- Gather and document audit evidence
- Report findings to Lead Auditor
- Maintain objectivity and independence
- Maintain and develop audit competence
Auditee (Process Owner / Department Head) - Cooperate with audit activities
- Provide access to personnel, documents, and facilities
- Respond to audit findings
- Develop and implement corrective actions
- Provide evidence of corrective action completion
- Communicate audit results to their teams
All Staff - Participate in audits when requested
- Answer audit questions honestly and accurately
- Provide requested documents and evidence
- Report any audit-related concerns to their manager or IMS Owner

13. Inputs and Outputs

Inputs:

  • Annual audit program
  • IMS documentation (policies, procedures, guidelines)
  • Previous audit reports and corrective action status
  • Risk register (high-risk areas prioritized for audit)
  • Incident reports and nonconformities
  • Management review decisions
  • External audit findings or customer feedback
  • Changes in ISO standards or legal requirements

Outputs:

  • Audit reports (findings, nonconformities, observations)
  • Corrective action requests (CARs)
  • Audit program updates
  • Auditor competence records
  • Lessons learned and improvement opportunities
  • Evidence for management review and certification audits

14. Records

Record Retention Period Location Owner
Annual Audit Program 7 years [TBD] IMS Owner
Individual Audit Plans 7 years [TBD] Lead Auditor
Audit Reports 7 years [TBD] Lead Auditor
Audit Checklists and Notes 3 years [TBD] Lead Auditor
Corrective Action Requests (CARs) 7 years [TBD] IMS Owner
Corrective Action Evidence 5 years [TBD] Auditee
Auditor Training Records Duration of auditor activity + 3 years [TBD] IMS Owner
Auditor Qualification Records Duration of auditor activity + 3 years [TBD] IMS Owner

16. Continuous Improvement

This procedure and the audit process are continuously improved through:

  • Feedback from auditors and auditees after each audit
  • Lessons learned from audit challenges
  • Benchmarking against ISO 19011 best practices
  • External auditor recommendations
  • Periodic review of audit effectiveness metrics

Audit effectiveness metrics (reviewed in Management Review):

  • Percentage of audit program completed on schedule
  • Number of nonconformities identified per audit
  • Percentage of corrective actions completed on time
  • Average time to close corrective actions
  • Repeat nonconformities (indicates ineffective corrective actions)
  • Auditee satisfaction with audit process

Improvement suggestions: Submit to IMS Owner using SW-IMS-FRM-002 Improvement Suggestion Form.

Appendix A: Audit Checklist Template

Audit ID: [ID]
Audit Date: [Date]
Auditor: [Name]
Process/Area: [Process Name]
ISO Standard: [ISO 9001 / ISO 14001 / ISO 27001]

ISO Clause Requirement Audit Question / Check Evidence Required Evidence Found Conformity (Y/N) Notes
[Clause] [Requirement text] [What to check] [Documents/records needed] [What was found] [ ] [Details]

Example:

ISO Clause Requirement Audit Question / Check Evidence Required Evidence Found Conformity Notes
ISO 9001: 7.2 Competence Are staff competent based on appropriate education, training, or experience? Training records, competence matrix Reviewed 5 staff files; all have training records Y Good documentation
ISO 27001: 5.1 Security policies Is information security policy established, documented, and communicated? Security policy document, evidence of communication Policy SW-ISMS-POL-001 v1.0; emailed to staff 2024-03-15 Y Policy comprehensive

Appendix B: Audit Report Template

INTERNAL AUDIT REPORT

Audit ID: [A-YYYY-##]
Audit Date: [Date]
Report Date: [Date]

AUDIT INFORMATION

Field Details
Audit Scope [Processes, departments, locations audited]
Audit Objective [Purpose of the audit]
Audit Criteria [ISO clauses, policies, procedures]
Lead Auditor [Name]
Audit Team [Names]
Auditees [Names and roles]

EXECUTIVE SUMMARY

[1-2 paragraph summary: overall conformity status, key findings, major issues, positive highlights]

Example:
"The audit of document control processes across all locations found the system generally effective and conforming to ISO requirements. Staff demonstrated good understanding of document control principles. Two minor nonconformities were identified related to version control labels and obsolete document removal. Several positive practices were noted, including the use of automated notifications for document updates."

CONFORMITIES

[List areas where requirements are fully met]

  • Document Control Procedure (SW-IMS-PRO-001) is comprehensive and aligns with ISO requirements
  • Staff interviewed demonstrated good understanding of document approval processes
  • Document register is maintained and up-to-date
  • External documents are identified and tracked

POSITIVE FINDINGS

[Examples of good practices worth recognizing]

  • Automated Document Notifications: The implementation of automated email notifications when documents are updated ensures timely awareness among staff.
  • Version Control: Use of color-coded version labels makes it easy to identify current vs. obsolete documents.

OBSERVATIONS (Improvement Opportunities - Not Nonconformities)

OBS-1: Training record storage location

  • Details: Training records are stored in multiple locations (HR system, manager files, training platform). While all records are available, consolidation would improve efficiency.
  • Recommendation: Consider centralizing training records in HRIS for easier access and reporting.

NONCONFORMITIES

NC-A2025-01-001: Minor Nonconformity

  • Requirement: SW-IMS-PRO-001 Section 5.3 requires documents to display version number on each page
  • Evidence: Three procedures reviewed (SW-QMS-PRO-006, SW-EMS-GUI-002, SW-ISMS-GUI-005) do not show version number in page footer; only on cover page
  • Impact: Risk of using wrong version if pages are printed separately
  • Required Action: Update document templates to include version number in footer; update affected documents

NC-A2025-01-002: Minor Nonconformity

  • Requirement: ISO 9001 Clause 7.5.3 requires control of documented information to prevent unintended use of obsolete documents
  • Evidence: Obsolete procedure (SW-QMS-PRO-004 v1.0, superseded 2024-10-01) found in Stockholm office printer area. Not marked as obsolete.
  • Impact: Risk of staff referencing outdated procedure
  • Required Action: Remove all hard copies of obsolete documents from all locations; implement check during document update process

AUDIT CONCLUSION

[Overall assessment of system effectiveness]

Example:
"The document control system is established and generally effective. The identified minor nonconformities do not compromise overall system integrity but should be addressed to ensure full conformity. No major nonconformities were identified. The audit team recommends accepting the corrective action plans and conducting follow-up verification in 60 days."

NEXT STEPS

  1. Auditee to submit corrective action plans for NC-A2025-01-001 and NC-A2025-01-002 within 4 weeks
  2. IMS Owner to verify corrective action implementation
  3. Follow-up audit or document review scheduled for [date]

DISTRIBUTION

  • [Department Head / Process Owner]
  • Management Team
  • IMS Owner

SIGNATURES

Role Name Signature Date
Lead Auditor [Name] [Date]
Auditee [Name] [Date]

Appendix C: Quick Reference - Audit Process Flow

┌─────────────────────────────────────────────────────┐
│  1. AUDIT PROGRAM PLANNING (Annual)                  │
│     - Identify processes and risks                   │
│     - Schedule audits                                │
│     - Assign auditors                                │
│     - Management approval                            │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  2. AUDIT PREPARATION (2 weeks before)               │
│     - Develop audit plan                             │
│     - Review documentation                           │
│     - Prepare checklists                             │
│     - Notify auditee                                 │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  3. CONDUCT AUDIT (Audit day)                        │
│     - Opening meeting (15-30 min)                    │
│     - Gather evidence (interviews, reviews, obs)     │
│     - Evaluate findings                              │
│     - Audit team debrief                             │
│     - Closing meeting (30-45 min)                    │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  4. AUDIT REPORTING (Within 5 days)                  │
│     - Prepare audit report                           │
│     - Document conformities and nonconformities      │
│     - Issue report to auditee and management         │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  5. CORRECTIVE ACTION (2-4 weeks)                    │
│     - Auditee develops corrective action plan        │
│     - Address root cause                             │
│     - Implement corrective actions                   │
│     - Provide evidence                               │
└─────────────────┬───────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────┐
│  6. VERIFICATION & CLOSURE (30-60 days)              │
│     - Verify corrective action effectiveness         │
│     - Conduct follow-up audit if needed              │
│     - Close nonconformity                            │
│     - Update audit records                           │
└─────────────────────────────────────────────────────┘

Document Control

Version Date Author Changes
1.0 [TBD] [Author] Initial release

Approval

Role Name Signature Date
IMS Owner
Management Team Representative
Related Documents