How an Audit Works: The 7 Principles and Lifecycle
What an audit really is, the seven principles that guide every auditor (ISO 19011), and how an audit runs step by step, from planning to follow-up.
In short
An audit is a systematic, independent and documented process for gathering and evaluating objective evidence of how well something meets defined criteria. It does not hunt for mistakes; it delivers a reliable picture from risk-based sampling. ISO 19011 sets out the methodology for management system audits and seven guiding principles, including integrity, independence and an evidence-based approach.
Auf Deutsch lesen: deutsche Fassung
Many people picture an "audit" as an inspection where someone goes looking for mistakes. That falls short. An audit is a systematic, independent and documented process for gathering and evaluating objective evidence of how well something meets defined criteria. It is not about catching people out; it is about producing a reliable picture.
Three concepts that carry everything
- Audit criteria: the yardstick, for example the standard, your own policies, or legal requirements.
- Audit evidence: the facts, including documents, records, statements and observations.
- Audit findings: the result of comparing the evidence against the criteria (conforming or not).
The seven principles behind every credible audit
The methodology for management system audits is described in ISO 19011. Seven principles guide every auditor:
- Integrity: professional trustworthiness and honesty.
- Fair presentation: reporting truthfully and accurately, including uncomfortable facts.
- Due professional care: applying sound, appropriate professional judgement.
- Confidentiality: handling all audit information with care.
- Independence: remaining impartial and avoiding conflicts of interest.
- Evidence-based approach: drawing conclusions only from evidence (sampling).
- Risk-based approach: focusing the audit where the risk is greatest.
An audit never proves that "everything is perfect." Using samples, it assesses whether the system demonstrably works, honestly and with a focus on risk.
First, second or third party?
- First-party audit (internal): the organisation audits itself, which is mandatory in every management system.
- Second-party audit: a customer audits its supplier (supplier audit).
- Third-party audit: an independent certification body audits with the goal of certification.
The audit lifecycle
Whatever the type, the process follows the same pattern:
- Initiation and planning: define the objective, scope, criteria and audit programme.
- Preparation: review documents and prepare the audit plan and checklists.
- Conduct: hold the opening meeting, gather evidence (interviews, observation, documents) and draw samples.
- Reporting: classify the findings, produce the audit report and hold the closing meeting.
- Closure and follow-up: track corrective actions and verify their effectiveness.
It is the final step that decides the real value. An audit whose findings nobody acts on was a waste of time. That is why verifying the effectiveness of the corrective actions is an inseparable part of the process.
Frequently asked questions
Does an auditor look for mistakes?+
No. An audit gathers objective evidence and compares it against the criteria. Findings are not an end in themselves; they are the basis for improvement.
Why only samples?+
An audit can never check everything. It works on an evidence-based footing using risk-oriented sampling. That is recognised methodology, not a shortcoming.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.