Exemplar Global certified courses from USD 99. Save while it lasts. Enrol today.

Terms and Definitions in ISO 19011:2026 Explained for Auditors

AW

Team @ Audit Workshop

12 min read
Terms and Definitions in ISO 19011:2026 Explained for Auditors

Why the Definitions Section Matters More Than You Think

Most auditors skip straight past Clause 3 of ISO 19011. They figure they already know what an audit is, they understand what a finding means, and they can get on with the practical stuff. That instinct is understandable, but it costs them later.

The 2026 edition of ISO 19011 introduced a revised and expanded set of terms and definitions. Some terms changed meaning. Some new ones appeared. A few were removed or consolidated. If you are auditing against the 2026 edition, or training others to do so, the definitions in Clause 3 are not background reading. They are the foundation everything else sits on.

This article walks through the key terms in ISO 19011:2026, explains what they mean in plain language, and shows how they connect to real audit practice. Whether you are preparing for a lead auditor exam, building your internal audit programme, or just trying to make sense of the updated standard, this is where to start.

The Core Audit Terms You Need to Get Right

Audit

ISO 19011:2026 defines an audit as a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

That definition has three load-bearing words. Systematic means it follows a planned approach, not a random walk through the organisation. Independent means the auditor is free from bias and conflicts of interest. Documented means there is a record, not just a conversation.

The phrase audit criteria is equally important. The audit is not about whether the auditor personally thinks the system is good. It is about whether the system meets the criteria it is being measured against, whether that is a standard, a contract, a policy, or a legal requirement.

Auditing

This is one of the terminology changes introduced in the 2026 edition. The standard now uses the term auditing to refer to the overall activity and discipline, distinguishing it from a single audit event. You can read more about this shift in the dedicated article on terminology changes from audit to auditing in ISO 19011:2026.

In practice, this distinction matters when you are talking about an audit programme. The programme manages auditing as an ongoing activity. Individual audits are discrete events within that activity.

Audit Client

The audit client is the organisation or person that requests the audit. This is often the organisation being audited, but not always. In a second party audit, the client might be the purchasing organisation that commissions an audit of its supplier. In a third party audit, the client is typically the certification body.

Understanding who the client is matters because the audit report goes to the client. The scope, objectives, and criteria are agreed with the client. If you are unclear who the client is, you risk reporting to the wrong person or missing key expectations.

Auditee

The auditee is the organisation being audited. In most internal audits, the auditee and the client are the same organisation, just represented by different people. In external audits, they are separate entities.

The auditee is responsible for providing access to processes, people, and records. They are also responsible for implementing corrective actions after the audit. Understanding the auditee's obligations helps auditors know what they can reasonably expect during an audit and what to do when access is denied or records are unavailable.

Audit Team

The audit team consists of one or more auditors conducting the audit, with one designated as the team leader. The team may also include technical experts and observers. ISO 19011:2026 is clear that technical experts support the audit team but do not act as auditors. They provide specialised knowledge, not audit judgements.

In practice, the composition of the audit team needs to match the scope of the audit. If you are auditing a chemical manufacturing facility and no one on the team understands process safety, you have a competence gap that needs to be addressed before the audit starts, not during it.

Become a certified ISO auditor
Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.
Explore Courses
Exemplar Global Recognised Training ProviderRecognised Training ProviderRTP No. 310970

Audit Programme and Audit Plan: Two Different Things

These two terms are frequently confused, and the confusion leads to real problems in how organisations manage their audit function.

Audit Programme

An audit programme is the set of one or more audits planned for a specific time frame, directed toward a specific purpose. It includes the schedule, the resources, the criteria, the scope, and the methods to be used. The audit programme is managed over time and reviewed for effectiveness.

Think of the audit programme as the annual plan. It answers the questions: what will be audited, when, by whom, against what criteria, and using what approach.

Audit Plan

An audit plan is specific to a single audit. It describes the activities and arrangements for that audit, including the date, the processes to be covered, the auditors assigned, the time allocated to each area, and the logistics. The audit plan is developed from the audit programme and agreed with the auditee before the audit begins.

Getting these two terms right matters because ISO 9001 Clause 9.2 requires an audit programme, not just a collection of individual audit plans. If your organisation only has a list of audit dates, it probably does not have a programme in the sense ISO 19011 intends.

Evidence, Findings, and Conclusions

Audit Evidence

Audit evidence is records, statements of fact, or other information that are relevant to the audit criteria and verifiable. The key word is verifiable. An auditor's impression that something seems to be working is not evidence. A signed training record, a completed inspection checklist, a procedure with a revision date, a system log, an interview response that can be corroborated, these are evidence.

ISO 19011:2026 recognises three types of evidence: documents, records, and observations made during the audit. Good auditors triangulate across all three. If the procedure says one thing, the records show another, and the operator describes a third practice, that gap is significant and worth pursuing.

Audit Findings

Audit findings are the results of evaluating the collected audit evidence against the audit criteria. Findings can be positive, indicating conformity, or negative, indicating nonconformity. They can also identify opportunities for improvement.

A common mistake is treating the terms finding and nonconformity as interchangeable. They are not. A finding is the broader category. A nonconformity is a specific type of finding where a requirement is not met. An observation or opportunity for improvement is also a finding, but it does not indicate a failure to meet a requirement.

Audit Conclusions

The audit conclusion is the outcome of the audit after considering the audit objectives and all the findings. It is the team leader's overall judgement about the state of the management system based on the evidence collected.

Conclusions are not a summary of findings. They go further. A conclusion might be that the system is effectively implemented and maintained, or that there are systemic weaknesses in a particular area, or that the organisation is ready for certification. The conclusion requires professional judgement, not just a count of nonconformities.

Nonconformity: Major and Minor

ISO 19011:2026 retains the distinction between major and minor nonconformities and provides clearer guidance on how to grade them. This is one of the areas where the 2026 edition strengthened expectations compared to the 2018 version.

A major nonconformity is a failure that significantly affects the ability of the management system to achieve its intended outcomes. It might be the complete absence of a required process, a systemic breakdown across multiple areas, or a failure that creates significant risk.

A minor nonconformity is an isolated failure that does not significantly affect the system's ability to achieve its intended outcomes. A single missing record in an otherwise well-maintained system might be a minor nonconformity. A pattern of missing records across multiple processes is something else entirely.

The grading of nonconformities has direct consequences. In a certification audit, a major nonconformity typically prevents certification until it is resolved. In an internal audit, the grading influences the urgency and priority of the corrective action response. Getting the grading right matters, and it requires judgement, not just rule application.

Competence and Related Terms

Competence

ISO 19011:2026 defines competence as the ability to apply knowledge and skills to achieve intended results. For auditors, this covers technical knowledge of the standard being audited, auditing skills such as interviewing and evidence gathering, and personal attributes such as objectivity and professional judgement.

Competence is not the same as qualification. Having a certificate from a training course is evidence of knowledge. Demonstrating that you can apply that knowledge in a real audit is competence. ISO 19011 is explicit that auditor competence needs to be evaluated, not just assumed from credentials.

Technical Expert

A technical expert is a person who provides specific knowledge or expertise to the audit team but does not act as an auditor. They might be a subject matter expert in a particular process, a language interpreter, or a specialist in a regulated industry.

The distinction matters for audit integrity. Technical experts advise. They do not make audit judgements, raise findings, or sign off on conclusions. If a technical expert starts directing the audit rather than supporting it, the independence of the process is compromised.

Audit Scope, Criteria, and Objectives

These three terms define the boundaries and purpose of any audit. Confusion between them is one of the most common causes of poorly planned audits.

Audit scope defines the extent and boundaries of the audit. It describes what is included, which processes, which sites, which time periods, and what is excluded. A clear scope prevents scope creep during the audit and manages auditee expectations.

Audit criteria are the set of requirements used as a reference against which audit evidence is compared. For a certification audit, the criteria are the requirements of the relevant ISO standard. For an internal audit, the criteria might include the standard, the organisation's own procedures, and applicable legal requirements.

Audit objectives describe what the audit is intended to achieve. Typical objectives include determining the extent of conformity with audit criteria, evaluating the effectiveness of the management system, and identifying opportunities for improvement. Objectives should be agreed with the audit client before the audit begins.

Getting all three right before the audit starts is not administrative housekeeping. It is the difference between an audit that produces useful, actionable results and one that leaves everyone uncertain about what was actually assessed.

Risk Based Approach in the Definitions

ISO 19011:2026 embeds risk-based thinking throughout the standard, and this is reflected in the definitions. The concept of risk as it applies to auditing refers to the effect of uncertainty on the ability of the audit process to achieve its objectives.

This means that when planning an audit, you are not just scheduling time against a list of clauses. You are making judgements about where the most significant risks lie, where previous audits have found problems, where processes are complex or critical, and where the consequences of failure are highest. Those judgements should drive where you spend your audit time.

The risk-based approach also applies to the audit programme itself. Higher risk areas should be audited more frequently or with greater depth. This is a principle embedded in the definitions, not just in the guidance sections of the standard.

How These Definitions Connect to Audit Practice

Understanding the definitions is not an academic exercise. Every time you write an audit finding, you are making a judgement about evidence and criteria. Every time you grade a nonconformity, you are applying the distinction between major and minor. Every time you agree a scope with an auditee, you are drawing on the definition of scope to set boundaries that are clear and defensible.

Auditors who have internalised these definitions write better findings, conduct more focused audits, and communicate results more clearly. Auditors who treat the definitions as background noise tend to produce findings that are vague, gradings that are inconsistent, and conclusions that do not hold up to scrutiny.

If you are building or updating your internal audit programme in line with the 2026 edition, the definitions in Clause 3 are the starting point. They set the shared language that everyone involved in auditing needs to use consistently.

For a broader view of how ISO 19011:2026 shapes the entire audit process, the article on how ISO 19011 guidelines shape modern audit practice provides useful context. And if you want to understand how the 2026 edition changed from the previous version, the article on what changed from the 2018 edition covers the key updates in detail.

Putting It All Together

The terms and definitions in ISO 19011:2026 are not just vocabulary. They are the conceptual framework that holds audit practice together. When an audit team shares a common understanding of what evidence means, what a finding is, how scope differs from criteria, and what makes a nonconformity major rather than minor, the audit runs more smoothly and produces results that are credible and useful.

If you are new to auditing, spending time on Clause 3 before you start planning your first audit will pay dividends. If you are experienced, revisiting the 2026 definitions is worth doing to make sure your practice is aligned with the updated standard.

At Audit Workshop, our ISO auditor training courses are built around practical application of these concepts. Whether you are starting with a Foundation course to build your understanding of audit terminology and principles, or working through an Internal Auditor or Lead Auditor course that puts these definitions into practice through real audit scenarios, the training is designed to make these terms second nature rather than just exam answers. If you are ready to build a solid foundation in ISO auditing, explore the courses available at Audit Workshop.

Frequently Asked Questions

Audit findings are the results of evaluating collected evidence against the audit criteria for specific requirements or processes. They can be conformities, nonconformities, or observations. Audit conclusions are the overall outcome of the entire audit, reached by the audit team after considering all findings in light of the audit objectives. Conclusions require professional judgement and go beyond simply listing what was found.
Start Learning

Ready to Build Real Audit Skills?

Join practitioners training with ISO auditors who've conducted 500+ external certification audits.

ISO 9001:2015 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 45001:2018 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
ISO 14001:2026 Lead Auditor Training Course
  • Lead Auditor
  • Self-Paced Online
  • Exemplar Global
  • USD 199USD 789
Exemplar Global Recognised Training Provider digital badge

Audit Workshop is an Exemplar Global Recognised Training Provider

Globally Recognised, Certified Training

Pass an Exemplar Global Certified course and you earn a Certificate of Attainment and an Exemplar Global digital badge. Audit Workshop graduates can apply for third-party Personnel Certification through Exemplar Global.

  • 12 months of Graduate certification
  • Access to Exemplar Global Community
  • Access to self-coaching assessment
  • Access to webinars, events, and online resources
Learn Anytime

No fixed schedule. Start, pause, and pick up exactly where you left off.

Instant Certificate

Download your digital certificate the moment you complete the course.

Practical Content

Every lesson is built from real-world ISO auditing experience.

Lifetime Access

Course materials are yours to keep and revisit long after you complete.