Why Audit Principles Matter More Than You Think
Most auditors learn the mechanics of auditing fairly quickly. They pick up how to write a nonconformity, how to conduct an opening meeting, how to sample records. What takes longer to develop is the judgement that sits underneath all of those skills. That judgement is grounded in the principles of auditing set out in ISO 19011.
On this page
ISO 19011 is the international guideline for auditing management systems. It is not a certifiable standard, but it is the foundation document that shapes how audits are designed, conducted, and evaluated. Clause 4 of ISO 19011 sets out seven principles that every auditor is expected to understand and apply. These principles are not abstract ideals. They are practical guides to behaviour that determine whether an audit produces reliable, useful results or just ticks a box.
This article walks through each of the seven principles, explains what they mean in practice, and gives you real examples of what they look like on the ground. Whether you are preparing for your first internal audit or working toward lead auditor certification, understanding these principles will make you a more effective and credible auditor.
For a broader look at how ISO 19011 shapes modern audit practice, see our article on how the ISO 19011 guidelines shape modern audit practice.
The Seven Principles of Auditing Under ISO 19011
ISO 19011:2018 introduced a seventh principle alongside the original six from the 2011 edition. The 2026 revision of ISO 19011 retains all seven. They are:
- Integrity
- Fair presentation
- Due professional care
- Confidentiality
- Independence
- Evidence-based approach
- Risk-based approach
Each principle applies to auditors as individuals and to audit programmes as a whole. Let us go through them one by one.
Principle 1: Integrity
Integrity is listed first because it is foundational. ISO 19011 describes integrity as the basis of professionalism. It means auditors perform their work honestly, with diligence and responsibility. They observe and report what they actually find, not what someone wants them to find.
In practice, integrity shows up in small decisions throughout every audit. It is the auditor who records a finding even when the auditee is friendly and clearly embarrassed. It is the auditor who does not soften a major nonconformity into an observation because they feel uncomfortable delivering difficult news. It is the auditor who refuses to sign off on evidence they have not actually reviewed.
Integrity also means being transparent about your own limitations. If you do not have the technical knowledge to evaluate a particular process, you say so rather than bluffing your way through. Requesting a technical expert is a sign of integrity, not weakness.
One of the most common integrity failures in internal auditing is the tendency to go easy on senior managers. An auditor who finds a clear gap in top management commitment but records it as an observation rather than a nonconformity because they are worried about the reaction is compromising their integrity. The finding is what it is. Your job is to call it accurately.
Principle 2: Fair Presentation
Fair presentation means audit findings, conclusions, and reports reflect the audit evidence truthfully and accurately. This sounds straightforward, but it has real implications for how you write reports and how you communicate during the closing meeting.
Fair presentation requires balance. An audit report that only lists nonconformities without acknowledging where the system is working well is not a fair representation of what was found. Similarly, a report that buries a significant finding in vague language to avoid conflict is misleading.
This principle also applies to situations where the audit team encounters obstacles. If access to certain areas was restricted, or records were unavailable, that needs to be stated in the report. The audit client needs to know the scope of what was actually examined, not just what the planned scope was.
In practical terms, fair presentation means your nonconformity statements should be specific and evidence-based, your positive observations should be genuine rather than tokenistic, and your overall audit conclusion should accurately reflect the weight of evidence. A closing meeting that rushes through findings or downplays their significance is a failure of fair presentation, regardless of how technically correct the individual statements are.
Principle 3: Due Professional Care
Due professional care means applying the diligence and judgement expected of a competent auditor. It is the principle that requires you to actually think during an audit rather than mechanically working through a checklist.
This principle covers several things. It means preparing properly before the audit, reviewing relevant documents, understanding the context of the organisation, and setting objectives that reflect the actual risks. It means asking follow-up questions when something does not add up rather than accepting the first answer. It means not cutting corners when time is short.
Due professional care also means recognising when evidence is insufficient. If you have only seen one record and it looks fine, that is not enough to conclude the process is conforming. Sampling strategy matters. You need enough evidence to support your conclusions, and you need to be honest when you do not have it.
A common failure of due professional care is the auditor who arrives unprepared, relies entirely on the auditee to lead them through the process, and ends up auditing what they are shown rather than what needs to be examined. Preparation is not optional. It is part of the professional standard you are held to.
Principle 4: Confidentiality
Confidentiality means information obtained during an audit is used only for the purposes of the audit. Auditors encounter sensitive information regularly. Financial data, personnel records, customer complaints, supplier performance data, safety incident records. None of that information should leave the audit context without authorisation.
This principle is particularly important for external auditors and consultants who move between organisations. What you learn about one client's processes, pricing, or supplier relationships is not yours to share, discuss with competitors, or reference in other engagements without explicit permission.
Confidentiality also has an internal dimension. Internal auditors sometimes discover information during an audit that is sensitive within the organisation, such as performance issues with a particular manager or evidence of a problem that has not yet been escalated. The appropriate channel for that information is the audit report and the audit programme manager, not the workplace rumour mill.
In the digital age, confidentiality requires additional care. Audit notes, photographs, and records stored on personal devices or shared through unsecured channels create real risks. Auditors need to think about how they handle and store audit evidence, not just what they do with it verbally.
Principle 5: Independence
Independence is the principle that makes audit findings credible. An auditor who is auditing their own work, or who has a personal stake in the outcome, cannot be objective. ISO 19011 is clear that auditors should be independent of the activity being audited and free from bias and conflict of interest.
For internal auditors, true independence from the organisation is not possible. ISO 9001 Clause 9.2 acknowledges this by requiring that internal auditors do not audit their own work. The independence requirement applies to the specific activity being audited, not the organisation as a whole. An internal auditor from the finance team can audit the warehouse. They cannot audit their own department.
Independence also has a mindset dimension. An auditor who is personally close to the auditee, or who has a strong prior view about the outcome, needs to be aware of how that might influence their judgement. The principle does not just require structural independence. It requires auditors to actively manage their own biases.
For lead auditors managing an audit team, independence means making sure team members are assigned to areas where they have no conflict, and that the team as a whole is not under pressure from the audit client to reach a particular conclusion. Resisting that pressure is a core professional responsibility.
Our article on auditor independence and whether you can audit your own work goes into more detail on this topic.
Principle 6: Evidence-Based Approach
The evidence-based approach means audit conclusions are drawn from verifiable information. Auditing is not about impressions, gut feelings, or what the auditee tells you. It is about what you can observe, examine, and confirm.
This principle has direct implications for how you gather and record evidence. Audit evidence needs to be sufficient, appropriate, and verifiable. A conversation is not evidence on its own. A document you were shown briefly but did not record the reference for is weak evidence. A photograph, a record reference, a direct observation with a specific location and date, these are the building blocks of a defensible audit conclusion.
The evidence-based approach also shapes how you handle conflicting information. If an auditee tells you a process is followed consistently but the records show gaps, the records are the evidence. You do not average the two out. You investigate the discrepancy and report what the evidence shows.
This principle connects directly to sampling. Because auditors cannot examine everything, they sample. The evidence-based approach requires that your sampling is representative and that your conclusions accurately reflect the limits of what was sampled. Saying a process is conforming based on three records when thousands exist is not an evidence-based conclusion. It is a statement about three records, and your report should reflect that.
For practical guidance on building strong audit evidence, see our article on how to gather audit evidence that stands up to scrutiny.
Principle 7: Risk-Based Approach
The risk-based approach is the principle added in the 2018 edition of ISO 19011, and it reflects a shift in how audit programmes are designed and how individual audits are planned. The idea is straightforward: audit effort should be directed toward areas of higher risk and significance.
At the programme level, this means the frequency and depth of audits should reflect the risk profile of the activities being audited. A high-risk process with a history of nonconformities should receive more audit attention than a low-risk administrative process that has been stable for years. Risk factors include the complexity of the process, the consequences of failure, previous audit results, and changes in the organisation or its context.
At the individual audit level, the risk-based approach influences how you plan your time, what you sample, and where you probe. If you know from the audit plan that a particular area has had recent incidents or complaints, you allocate more time there. If a process involves outsourced activities, you examine how those are controlled rather than assuming they are fine.
The risk-based approach does not mean ignoring low-risk areas entirely. It means calibrating your effort. It also means being transparent about the basis for your decisions. If you chose to focus heavily on one area because of identified risks, that reasoning should be visible in your audit plan and, where relevant, in your report.
This principle is also relevant to how auditors evaluate the management systems they are auditing. Organisations that have genuinely implemented risk-based thinking will have evidence of it throughout their system. Auditors who understand the risk-based approach are better placed to assess whether that evidence is meaningful or just paper compliance.
How the Principles Work Together in Practice
The seven principles are not independent rules. They interact and reinforce each other. An auditor with strong integrity who lacks due professional care will still produce unreliable results. An evidence-based approach without independence produces biased conclusions. Confidentiality without fair presentation can lead to reports that protect the wrong people.
The principles work together to define what professional auditing looks like. When you are on the floor conducting an audit and you face a difficult decision, whether to push back on an answer, whether to record something as a nonconformity or an observation, whether to include a sensitive finding in the report, the principles give you a framework for making that decision in a way that is defensible and professional.
New auditors often focus on the technical aspects of auditing: the clauses, the checklists, the report format. Experienced auditors know that the principles are what separate a useful audit from a compliance exercise. The principles are what allow you to look an auditee in the eye and say, with confidence, that your findings are accurate, fair, and based on evidence.
Applying the Principles in Your Audit Programme
If you manage an internal audit programme, the principles should be reflected in how you design and operate it. Independence requirements should be built into your auditor assignment process. Due professional care should be supported by proper training and preparation time. The risk-based approach should be visible in how you schedule audits and allocate resources.
Audit programmes that are designed around the principles produce better results. They identify real issues rather than just generating paperwork. They build credibility with management because the findings are reliable. They support genuine improvement rather than just certification maintenance.
The 2026 revision of ISO 19011 reinforces these principles and adds further guidance on areas such as remote auditing and the management of audit programme risks. Staying current with the standard is part of due professional care for anyone involved in audit programme management.
If you are building or reviewing your internal audit programme, our article on how to build an internal audit programme from scratch provides a practical framework grounded in these principles.
Building Principle-Based Auditing Skills Through Training
Understanding the principles of auditing is one thing. Applying them consistently under the pressure of a real audit is another. That is why structured training matters. A good auditor training course does not just teach you the clauses of ISO 9001 or ISO 45001. It teaches you how to think and behave as an auditor, which means grounding your practice in these principles.
At Audit Workshop, our internal auditor and lead auditor courses are built around practical application of the ISO 19011 principles. You learn how to gather evidence that is verifiable, how to maintain independence in challenging situations, how to present findings fairly, and how to apply a risk-based lens to your audit planning. The training is delivered by an experienced lead auditor who has conducted over 500 external ISO certification audits, so the examples are real and the guidance is grounded in what actually happens on the floor.
Whether you are just starting out as an internal auditor or working toward lead auditor certification, understanding and applying the ISO 19011 audit principles is the foundation of everything else you will do in this field.








