What does ISO 19011 cover?
1. The principles of auditing: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach.
2. Managing an audit programme: designing, implementing, monitoring, reviewing and improving the programme.
3. Conducting management system audits: initiating the audit to final reporting and follow-up.
4. Evaluating the competence of individuals involved in the audit process: including the person managing the audit programme, auditor team leaders and individual auditors.
As a guidance standard it's not something an organisation can seek certification against.
But ISO 19011:2018 has been universally embraced as the definitive blueprint for management system auditing.
Why the change to the 2018 version?
ISO 19011 was first introduced in 2002 as a guideline for quality and/or environmental systems auditing.
At that time these were the only ISO management system standards available.
By 2011 an expansion beyond quality and environment brought a need to make the standard more generic.
Since then a new breed of management system standards based on Annex SL have been developed, sharing:
- A common high-level structure
- Identical core text
- Common terms and core definitions
With all new and revised ISO standards adopting the Annex SL structure, ISO 19011 needed to be updated to reflect these new management system standards.
The key change for ISO 19011:2018 is the introduction of a seventh audit principle: the 'risk-based approach'.
This risk-based approach should influence audit:
This should ensure that audits are focused on matters that are significant for the auditee and for achieving your audit programme objectives.
The need to consider risks (and opportunities) permeates all sections of the standard, including:
- design of the programme and audit team
- conducting the audit itself and drawing audit conclusions
- considering what's communicated post-audit and in the audit report
1. Structurally there have been some changes. The order of the sub-clauses under 6.4, 'conducting the audit activities', has been amended.
2. IT plays a greater auditing role, not just in terms of where evidence is stored but also in terms of how it's being employed to facilitate the audit process.
3. An interesting addition in clause 6.4.7 is text recognising that in the new Annex SL world (based on documented information and not documents and records) not all information can be 100% verified.
This introduces the concept of professional judgement, which an auditor now needs to employ to determine the extent to which they can rely on information.
4. The old Annex A has been deleted and the old Annex B now becomes Annex A.
Annex B has been substantively reworked. This provides specific guidance for auditors in key topics:
- methods of auditing
- professional judgement
- performance outcomes
- verifying information
- auditing risks and opportunities and lifecycle
- some significant changes to existing clauses (statistical sampling, guidance on visiting the auditee's location)
In addition, auditors must understand the application of management system standards in the post-Annex SL world and the relationships and interactions between the components of a management system in light of Annex SL.
5. Audit team leaders are now expected to possess the competence to discuss strategic issues with top management
6. Terminology has been revised to reflect changes in definitions of:
- Audit criteria, team and scope
- Technical experts
- Management system
'Suppliers' have been replaced with 'external providers', 'documents and records' by 'documented information'.
Advice for internal auditors
1. Study the content, then take an objective look at yourself and ask, "is there any self-development required?" For most of us the answer will be "yes".
2. Comment on the draft. If you think the changes go too far or don't go far enough then have your say – everyone’s comment carries equal weight when they're reviewed. You could just make the world of audit a better place!
3. Challenge your organisation – if you're unhappy with the way your organisation currently manages and conducts its audit programme, ISO 19011 is your opportunity to drive change.
There are real cost and efficiency benefits from an appropriately structured audit programme.
Use ISO 19011 to persuade top management that this is the case.
Or download our free datasheets: