audit scope

Audit scope is the formally defined boundary of an audit, describing what will be evaluated and what is excluded. In industrial and regulated manufacturing environments, it typically specifies which sites, processes, product lines, departments, time periods, standards, and information systems are covered by a specific audit activity.

What audit scope usually includes

In practice, an audit scope description often covers:

• Locations and entities: plants, warehouses, design centers, or legal entities included in the audit
• Processes and activities: manufacturing, maintenance, calibration, purchasing, design, software validation, document control, etc.
• Products and services: product families, part ranges, or service types that fall under the audit
• Time period: the timeframe of records to be sampled (for example, the last 12 months of production)
• Standards and criteria: the specific regulations, customer specifications, or management system standards being assessed (for example, ISO 9001, AS9100, IATF 16949, regulatory rules)
• Systems and data: which IT/OT systems are in scope (MES, ERP, QMS, document control, maintenance systems) and related interfaces

For certification or compliance audits, the audit scope is typically documented in the audit plan and on the certificate itself, and is agreed in advance between the auditee and the auditing body.

Operational meaning in manufacturing

In manufacturing operations, audit scope helps determine:

• Which production lines, cells, or maintenance areas auditors will visit
• Which records, logs, and data sets (for example, batch records, travelers, NCs, CAPAs, calibration records) must be prepared
• Which suppliers, outsourced processes, or logistics flows need to be included
• Which digital systems and integrations (for example, MES to ERP interfaces, data historians, PLM links) must be available for review

When organizations maintain multiple schemes (for example, ISO 9001 plus AS9100 or IATF 16949), each certification or regulatory program can have its own audit scope and may involve separate sites, processes, and system boundaries. This affects planning, documentation, and the number and type of audits that must be performed.

What audit scope is not

Audit scope is related to, but distinct from:

• Audit objectives: why the audit is being performed (for example, certification, surveillance, supplier qualification, internal process check)
• Audit criteria: the specific requirements used as the benchmark (standards, procedures, contracts, regulatory clauses)
• Audit plan or schedule: the timing, agenda, and sequence of audit activities

Audit scope sets the boundary of what is examined; it does not define the detailed audit checklist or sampling method.

Common confusion

• Audit scope vs. organizational scope of certification: The scope of certification describes what the organization is certified for (for example, design and manufacture of aerospace components). An individual audit's scope might be narrower, covering only one site or subset of processes at a given time.
• Audit scope vs. risk scope: Risk assessments may consider a wide range of potential issues, while an audit scope may intentionally focus on a subset of those areas, such as special processes or high-risk suppliers.

Link to the derived context

When moving between or adding standards such as ISO 9001, AS9100, or IATF 16949, organizations often need to manage expanded or overlapping audit scopes. This can mean including additional sites, processes, or regulatory interfaces in external certification audits and aligning internal audit programs so that each scheme's requirements are covered within the defined scopes.