Creating Programs

An audit program forms the backbone of your audit activities. It provides structure, overview, and coherence to all audits you conduct within your organization. In this article, we explain what a good audit program is, how to set it up, and what choices you can make within AuditReporter.

What is an audit program?

An audit program is a planned set of audits over a specific period (usually 1-3 years), aimed at assessing the management system. In an audit program, you document:

• what you audit (standards, processes, themes)

• when you audit

• how often you audit

• where (which locations, departments, or sites)

The audit program ensures that audits:

• are conducted systematically and according to plan

• align with risks and priorities

• demonstrably contribute to continuous improvement

What makes a good audit program?

There is no “one size fits all,” but good audit programs usually have the following characteristics:

1. Alignment with the management system

The audit program logically aligns with:

• the applicable standard(s) (e.g., ISO 27001, ISO 9001, ISO 20000, NEN 7510)

• the scope of the management system

• the key processes and risks

A mature management system often requires different emphases than a system that has just been established.

2. Risk-based approach

Not every component needs to be audited as frequently or as deeply. A good audit program:

• pays more attention to critical processes and high risks

• takes into account previous deviations and incidents

• adjusts frequency and depth accordingly

3. Realistic and feasible

An audit program must be achievable:

• appropriate to available auditor capacity

• aligned with organizational workload

• with sufficient time for follow-up on actions

Better a smaller program that is executed well than an ambitious program that remains undone.

4. Flexible and adaptable

Organizations change. A good audit program:

• can be adjusted throughout the year

• allows for ad-hoc audits or additional audits in case of incidents

• grows with the maturity of the management system

One or multiple audit programs?

Depending on the setup of the management system, you can create one or multiple audit programs within AuditReporter. There is no right or wrong — the choice entirely depends on your situation.

Multiple standards

For organizations with multiple standards, there are roughly two approaches:

• Integrated audit program
  One program in which multiple standards are audited together (e.g., ISO 9001 + ISO 27001).
  This works well if processes are strongly integrated.

• Separate audit programs per standard
  Each program focuses on one standard.
  This can be clear if standards are managed separately or by different teams.

Multiple locations or sites

The organizational setup also plays a role:

• One central audit program
  All locations and standards in one program.
  Suitable for organizations with central management and uniform processes.

• Audit program per location
  Each program focuses on one site.
  Convenient if locations differ significantly in processes or maturity.

How does AuditReporter support this?

AuditReporter is intentionally flexibly designed, so the audit program aligns with your reality:

• You can use multiple audit programs side by side

• For each program, you determine:

  • scope

  • period

  • standards and themes

• Audit programs can be easily adjusted, expanded, or terminated

This way, you can start small and scale up later without having to completely revise your setup.

Practical tip

Are you unsure about the right setup?
Start simple. For example:

• one audit program for one year

• focused on the key processes and standards

Based on experiences, findings, and organizational development, you can later refine or split the audit program.