Title Page
-
Audit ID/Reference/Number
-
Audit Area / Focus
-
Site/Department/Area
-
Conducted on
-
Auditor name(s)
-
Location - address
-
Personnel involved/audited
Inputs
-
The inputs for the process have been defined.
-
Record the inputs that have been identified and their classification (e.g. data, materials, communications)
-
The inputs to the process are formally documented.
-
The inputs to the process have been communicated to the personnel receiving and processing the inputs.
-
The quality requirements for inputs have been defined.
-
Record the quality requirements that have been identified and their accept/reject criteria
-
The quality requirements for the inputs have been formally documented.
-
The input quality requirements to the process have been communicated to the personnel providing the inputs.
-
Additional notes
-
Attach any media - photo/video/sound recording
Process control
-
The required activities/steps/phases of the process have been defined.
-
Record the activities/steps/phases that have been identified and their relative criticality
-
The activities/steps/phases of the process are formally documented.
-
The activities/steps/phases of the process have been communicated/trained to the personnel performing the process (and evidence is available)
-
The performance quality requirements for process have been defined.
-
Record the quality requirements that have been identified and their accept/reject criteria
-
The quality requirements to the process are formally documented.
-
The process performance quality requirements have been communicated to the personnel providing the inputs.
-
There is a process/protocol in place to monitor performance of the process.
-
Describe the monitoring protocol/process
-
The monitoring protocol/process is formally documented.
-
The required responses to monitoring are clearly and unambiguously defined.
-
There is evidence of the implementation of the monitoring protocol/process and appropriate responses.
-
Additional notes
-
Attach any media - photo/video/sound recording
Outputs
-
The outputs for the process have been defined.
-
Record the outputs that have been identified and their classification (e.g. data, materials, communications)
-
The outputs to the process are formally documented.
-
The outputs to the process have been communicated to the personnel monitoring, measuring and managing outputs.
-
The quality requirements for outputs have been defined.
-
Record the quality requirements that have been identified and their accept/reject criteria
-
The quality requirements to the outputs are formally documented.
-
The output quality requirements to the process have been communicated to the personnel monitoring and releasing the outputs.
-
There is a protocol/process in place to identify non-conforming outputs.
-
There is evidence that the protocol/process is being implemented consistently.
-
The protocol/process is aligned with the identified quality criteria.
-
The protocol/process identifies method for determining conformance with quality criteria.
-
The protocol/process identifies the required actions for handling non-conforming outputs.
-
Additional notes
-
Attach any media - photo/video/sound recording
User feedback
-
The requirements for customer feedback/acceptance are clearly and unambiguously defined.
-
Record how the customer feedback/acceptance requirements are documented.
-
The customer feedback/acceptance requirements have been clearly communicated to the relevant personnel.
-
The process/protocol for capturing/identifying/classifying user feedback/acceptance have been defined.
-
Record the overall protocol/process components.
-
The process/protocol has been formally documented.
-
The process/protocol has been clearly communicated to the personnel involved.
-
There is evidence of the implementation of the process/protocol.
-
Additional notes
-
Attach any media - photo/video/sound recording
Operating context
-
Operating Context defines the external or internal environment. Common ways of defining operating context are the use of PESTLE analysis (Political; Economic; Social; Technological; Environmental; Legal); Stakeholder Analysis; SWOT Analysis (Strengths; Weaknesses; Opportunities; Threats); or some combination of them.
-
The operating context for the process/activity/function has been identified and defined.
-
Record how the operating context is defined (i.e recorded or documented)
-
The inputs to the process of operating context definition are clearly defined.
-
The process for classifying, analysing and prioritising operating context components.
-
There is a process to regularly review and update understanding of the operating context.
-
Record the process for review and update.
-
The review process is appropriately documented.
-
There is evidence of regular review of operating context.
-
Additional notes
-
Attach any media - photo/video/sound recording
Risk management
-
Risk management is an important part of managing a function or process. In some situations, a defined formal risk management strategy is appropriate, however an less formal approach may also be appropriate, depending on the particular circumstances.
Note well: risk management and threat management are different activities and should not be confused. -
Risks to the function/process/activity have been identified
-
Record how the risks are documented and recorded.
-
The risks to the process have been communicated to the personnel.
-
Risks to the function/process/activity have analysed and prioritised.
-
Record how the risk priorities are documented and recorded.
-
There is a standard process for analysing and prioritising risks. (This may not be a formal process, depending on circumstances, but it must be standardised and repeatable)
-
There are plans/processes/strategies in place to mitigate the identified risks.
-
The mitigation strategies have been clearly communicated to staff.
-
There is evidence of implementation of mitigation strategies.
-
The mitigation strategy includes response requirements if risk become actual events.
-
There is evidence of a process for review risk on a regular basis, and for identifying new or developing risks.
-
Additional notes
-
Attach any media - photo/video/sound recording
