Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?

Which three of the following work documents are not required for audit planning by an auditor conducting a certification audit?
A . An audit plan
B . A sample plan
C . An organisation’s financial statement
D . A checklist
E . A career history of the IT manager
F . A list of external providers

Answer: C, E, F

Explanation:

According to ISO 19011:2018, which provides guidelines for auditing management systems, an auditor conducting a certification audit should prepare for an audit by reviewing relevant information about the auditee’s context and processes1. This may include reviewing documented information related to the audited management system (such as policies, procedures, manuals), previous audit reports and records (such as findings, nonconformities, corrective actions), relevant legal and regulatory requirements (such as laws, standards), relevant risks and opportunities (such as internal and external issues), relevant performance indicators (such as objectives, targets), etc1. Therefore, an auditor may need work documents such as an audit plan (which defines what will be done during an audit), a sample plan (which defines how many samples will be taken from a population), and a checklist (which helps to ensure that all relevant aspects are covered during an audit)1. However, an auditor does not need work documents such as an organisation’s financial statement (which is not directly related to information security management), a career history of the IT manager (which is not relevant to assessing conformity with ISO/IEC 27001:2022), or a list of external providers (which is not necessary for planning an audit)1.

Reference: ISO 19011:2018 – Guidelines for auditing management systems