ISO 19011 is an International Standard which provides guidance on auditing management systems. It is applicable to all organisations that need to conduct internal or external MS audits or manage audit programmes.
In this webinar, Richard Green, Managing Director of quality, audit and risk consultancy Kingsford Consultancy Services Ltd, discusses the changes to ISO 19011. Richard is an established expert in all quality and auditing matters.
Richard is on the International Committee for ISO 19011, so he’s able to provide more insight than most into what the changes are and how to prepare for them.
Please find the video below or read the transcript:
ISO 19011 covers:
- the principles of auditing – ‘moral values which underpin the profession’ - integrity, fair presentation, due professional care, confidentiality, independence, evidence based approach.
- managing an audit programme – designing, implementing, monitoring and reviewing & improving the programme
- the conducting of management system audits (initiating the audit to final reporting and follow up)
- the evaluation of competence of individuals involved in the audit process, including the person managing the audit programme, auditor team leaders and individual auditors.
As a guidance standard it is not something an organisation can seek certification against. Despite this, it has been universally embraced as the definitive blueprint for MS assessment.
Why review the standard?
ISO 19011 was first introduced in 2002 as guidelines for quality and/or environmental systems auditing - at that time these were the only ISO management system standards available.
By 2011 we were starting to see an expansion beyond quality and environment, so there was consequently a need to make the standard more generic.
Since then we’ve seen the introduction of a new breed of management system standards based on annex SL. This means they share a common high level structure, identical core text and common terms and core definitions. Going forwards all new ISO MSS will be annex SL based, and existing MSS will become annex SL based when they are next revised.
ISO 19011 therefore needed to be updated to reflect both the structure and contents of these new MS standards.
Key anticipated changes to ISO 19011?
Most significantly, we see the introduction of a seventh audit principle. ‘Risk-based approach: an audit approach that considers risks and opportunities’.
This risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives. Indeed, the need to consider risks (and opportunities) is prevalent in all sections of the document, from design of the programme to determining who should be on the audit team, from conducting the audit itself through to drawing audit conclusions, through considering what is communicated at the closing meeting and what is ultimately contained in the audit report.
- Structurally there have been some changes. The order of the sub-clauses under 6.4 ‘conducting the audit activities’ has been amended.
- The role ICT now plays in audit, not just in terms of where evidence is stored but also in terms of how it is being employed to facilitate the audit process.
- An interesting addition in clause 6.4.7 is text recognising that in the new annex SL world (based on documented information and not documents and records) not all information can be verified 100%. This introduces the concept of Professional Judgement which an auditor now needs to employ to determine the extent to which they can rely on such information.
- The old annex A has been deleted. This contained sector specific examples of the knowledge and skills required to audit particular types of industry. This may be reintroduced however there is very much a difference of opinion over this one.
- The old annex B now becomes annex A. This has been substantively reworked. This provides specific guidance for auditors in key topics. The range of topics has now been expanded to include; methods of auditing, professional judgement, performance outcomes, verifying information, auditing risks and opportunities and life cycle plus some significant changes to existing clauses (statistical sampling, guidance on visiting the auditee’s location).
- In addition, auditors must understand the application of management system standards in the post annex SL world and the relationships and interactions between the components of a management system in the light of annex SL.
- Audit team leaders are now expected to possess the competence to discuss strategic issues with top management.
- Throughout, terminology has been revised to reflect that latest definitions (audit criteria, audit team, technical expert, audit scope, risk, management system have all be revised). Also, suppliers has been replaced with external providers, documents and records by documented information.
- There remains an ongoing discussion as to whether ‘audit plan’ should become audit planning output and ‘audit report’, audit reporting output but as the former are such commonly used terms it is unlikely they will be changed.
Any advice for internal auditors?
I don’t expect to see training providers offering any form of ISO 19011 transition training and I’m not expecting any of the professional bodies for auditing to be mandating this for their members either. That said, these changes are significant and I’d expect organisations operating in the MS audit arena to be providing details on these to their clients.
IRCA are currently considering whether some form of mandatory CPD is required for IRCA certified auditors, perhaps in the form of required reading, and also whether revisions are necessary to their auditor training course criteria. Going forwards expect to see future auditing courses based on ISO 19001:2018, just as existing courses are based on ISO 1901:2011.
I’d expect there to be a lot of reading material out there for those who are genuinely interested in this area.
If you are serious about your role as an internal auditor (or indeed an external auditor) then you’ll want to know about these changes and how they will affect you.
- Study the draft. It’s not too early to start looking at the contents. Whilst this is still work in progress the substantive content is unlikely to change that much. Take a look at what is being proposed, then take an objective look at yourself and ask ‘is there any self- development required?’ For most of us the answer will be ‘yes’.
- Comment on the draft. If you think the changes go too far or don’t go far enough then have your say – everyone’s comment carries equal weight when they are reviewed. You could just make the world of audit a better place!
- Be prepared to challenge your organisation – if your unhappy with the way your organisation currently manages and conducts its audit programme this revision will provide an opportunity to effect change. There are real cost and efficiency benefits to be enjoyed from the deployment of an appropriately structure audit programme. Use this document to persuade top management that this is the case.
What is next?
All international standards go through a well-established process on their journey from concept though to finished article. We are currently at the Draft International Standard (or DIS stage).
This is the point where the ‘ordinary person on the street’ for want of a better expression is able to comment on the proposed content via there national standards body – in the UK, this is BSI.
The ballot closes in October. There is then a meeting of the AUS/1 committee (the ISO committee revising this standard) w/c 6th November in Mexico City. This meeting will consider the comments received and will amend the draft if deemed necessary.
Depending on the extent and nature of the comments received the committee will then either move to publish the new standard or, if there is still work to be done, it will create a final draft international standard (FDIS) as an interim step before full publication.
We will know for sure after the Mexico City meeting however ISO are currently quoting ‘mid 2018’. I think this is a fair representation.
Managing Audits using EQMS
Qualsys provide a range of auditing solutions which make it easy for auditors and management teams to identify trends in information and to see when something goes wrong.