The ISO 19011 standard provides guidance on auditing management systems. It applies to all organisations that need to conduct internal or external management system (MS) audits or manage audit programmes.
In this webinar, Richard Green, Managing Director of quality, audit and risk consultancy Kingsford Consultancy Services Ltd, discusses the changes to ISO 19011. Richard is an established expert in all quality and auditing matters.
Richard is on the International Committee for ISO 19011, so he’s able to provide more insight than most into what the changes are and what you should do to prepare for them.
We've provided both a video and a full transcript below:
What does ISO 19011 cover?
- The principles of auditing – 'moral values which underpin the profession' – integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach.
- Managing an audit programme – designing, implementing, monitoring and reviewing and improving the programme.
- Conducting management system audits – initiating the audit to final reporting and follow-up.
- Evaluating the competence of individuals involved in the audit process – including the person managing the audit programme, auditor team leaders and individual auditors.
As a guidance standard it's not something an organisation can seek certification against. Despite this, it's been universally embraced as the definitive blueprint for MS assessment.
Why review the standard?
ISO 19011 was first introduced in 2002 as guidelines for quality and/or environmental systems auditing. At that time these were the only ISO management system standards available.
By 2011 we were starting to see an expansion beyond quality and environment, so there was consequently a need to make the standard more generic.
Since then we've seen the introduction of a new breed of management system standards based on Annex SL. This means they share a common high-level structure, identical core text and common terms and core definitions. Going forwards all new ISO MS standards will be based on Annex SL, and existing MS standards will adopt Annex SL when they're next revised.
ISO 19011 therefore needed to be updated to reflect both the structure and contents of these new MS standards.
What are the key anticipated changes to ISO 19011?
Most significantly, we see the introduction of a seventh audit principle, 'Risk-based approach: an audit approach that considers risks and opportunities'.
This risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives. Indeed, the need to consider risks (and opportunities) is prevalent in all sections of the document, from design of the programme to determining who should be on the audit team, from conducting the audit itself through to drawing audit conclusions, through considering what's communicated at the closing meeting and what's ultimately contained in the audit report.
- Structurally there have been some changes. The order of the sub-clauses under 6.4 'Conducting the audit activities' has been amended.
- The role ICT now plays in audit, not just in terms of where evidence is stored but also in terms of how it's being employed to facilitate the audit process.
- An interesting addition in clause 6.4.7 is text recognising that in the new Annex SL world (based on documented information and not documents and records) not all information can be verified 100%. This introduces the concept of professional judgement, which an auditor now needs to employ to determine the extent to which they can rely on such information.
- The old Annex A has been deleted. This contained sector-specific examples of the knowledge and skills required to audit particular types of industry. This may be reintroduced – however there's very much a difference of opinion over this one.
- The old Annex B now becomes Annex A. This has been substantively reworked. This provides specific guidance for auditors in key topics. The range of topics has now been expanded to include: methods of auditing; professional judgement; performance outcomes; verifying information; auditing risks and opportunities and lifecycle, plus some significant changes to existing clauses (statistical sampling, guidance on visiting the auditee's location).
- In addition, auditors must understand the application of management system standards in the post-Annex SL world and the relationships and interactions between the components of a management system in light of Annex SL.
- Audit team leaders are now expected to possess the competence to discuss strategic issues with top management.
- Throughout, terminology has been revised to reflect that latest definitions (audit criteria, audit team, technical expert, audit scope, risk, management system have all be revised). Also, 'suppliers' has been replaced with 'external providers', 'documents and records' by 'documented information'.
- There remains an ongoing discussion as to whether 'audit plan' should become 'audit planning output' and 'audit report' 'audit reporting output', but as the former are such commonly used terms it's unlikely they'll be changed.
Any advice for internal auditors?
I don't expect to see training providers offering any form of ISO 19011 transition training and I'm not expecting any of the professional bodies for auditing to be mandating this for their members either. That said, these changes are significant and I'd expect organisations operating in the MS audit arena to be providing details on these to their clients.
IRCA are currently considering whether some form of mandatory CPD is required for IRCA-certified auditors, perhaps in the form of required reading, and also whether revisions are necessary to their auditor training course criteria. Going forward, expect to see future auditing courses based on ISO 19001:2018, just as existing courses are based on ISO 19011:2011.
I'd expect there to be a lot of reading material out there for those who are genuinely interested in this area.
If you're serious about your role as an internal auditor (or indeed an external auditor) then you'll want to know about these changes and how they'll affect you.
- Study the draft. It's not too early to start looking at the contents. Whilst this is still a work in progress the substantive content is unlikely to change that much. Take a look at what's being proposed, then take an objective look at yourself and ask "is there any self-development required?" For most of us the answer will be "yes".
- Comment on the draft. If you think the changes go too far or don't go far enough then have your say – everyone’s comment carries equal weight when they're reviewed. You could just make the world of audit a better place!
- Be prepared to challenge your organisation – if you're unhappy with the way your organisation currently manages and conducts its audit programme this revision will provide an opportunity to effect change. There are real cost and efficiency benefits to be enjoyed from the deployment of an appropriately structure audit programme. Use this document to persuade top management that this is the case.
All international standards go through a well-established process on their journey from concept though to finished article. We are currently at the Draft International Standard (or DIS stage).
This is the point where the 'ordinary person on the street' for want of a better expression is able to comment on the proposed content via their national standards body – in the UK, this is BSI.
The ballot closes in October. There's then a meeting of the AUS/1 committee (the ISO committee revising this standard) week commencing 6 November in Mexico City. This meeting will consider the comments received and will amend the draft if deemed necessary.
Depending on the extent and nature of the comments received, the committee will then either move to publish the new standard or, if there's still work to be done, it'll create a final draft international standard (FDIS) as an interim step before full publication.
We will know for sure after the Mexico City meeting, however ISO are currently quoting 'mid 2018'. I think this is a fair representation.
Managing audits using EQMS
Qualsys provide a range of auditing solutions that make it easy for auditors and management teams to identify trends in information and to see when something goes wrong.