Managing An Audit According to ISO 19011 Guidelines

ISO 19011:2011 provides guidance on auditing management systems. It identifies the principles of auditing and provides advice as to how to manage an audit programme and conduct management system audits.

It additionally advises on the evaluation of the competence of individuals involved in the audit process, including person(s) managing the audit programme, auditors and audit teams.

Consequently, it is applicable to all organisations that need to conduct internal or external audits of management systems or who need to manage an audit programme.

This primary audit standard is currently undergoing revision. In November 2016, ISO Project Committee 302 met in Orlando to debate possible changes to the text. The outcome of that meeting was CD 19011:2016 which to many represented an evolutionary rather than a revolutionary refresh.

Yes, there was an enhanced focus on risk and some recognition of the impact of the requirements of annex SL on audit practice, but little in the way of substantive amendment. It looked to many of us as if we were heading for an audit standard fit for the 20th, as opposed to the 21st century.

Then came Milan. On 18 April, ISO/302/Joint Working Group 1 met at the offices of the Italian National Standards Body, Uni, in Milan.

What happened over the course of the following week transformed the contents of the standard. The shackles were cast aside and, led by the Italian delegation, fundamental changes were made to both the structure and the content of the Orlando CD.

What are these changes?

Perhaps most significantly, a new Principle of Auditing has been introduced into Clause 4. Along with Integrity, Fair Presentation, Due Professional Care, Confidentiality, Independence and Evidence Based Approach, auditors will now be expected to employ a ‘Risk Based Approach’:

“Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives.”

This new principle recognises not only the increased emphasis on risk that flows through all annex SL based standards, but also the generic importance of manging risk in any business management system, whether this is externally certificated or not.

The new risk-based approach principle is embodied into the standard through a series of additional of new sub-clauses 5.1.1, 6.1.1 and 7.1.1 which call for consideration of risk and opportunities when managing the audit programme, performing an audit and when evaluating the competence of auditors.

Selected other changes to the Orlando text include:

Important inclusions in annex A, ‘Additional guidance for auditors for planning and conducting audits’. New paragraphs have been introduced covering performance outcome, process approach, life cycle, professional judgement, remote auditing, auditing risks and opportunities, and the use of ICT in the audit process. Auditors will also need to understand context of an organisation.

Structurally, the previous annex A, ‘Guidance and illustrative examples of discipline-specific knowledge and skills of auditors’ is set to be reintroduced following its deletion in Orlando, either into ISO 19011 itself, or by means of its publication on a suitable website. How such a website would be hosted is yet to be agreed.

As ISO 19011 is not a management system standard in its own right. It will not adopt the high-level structure set out in Annex SL. It will instead maintain the same seven clauses as at present, although the sub-clauses under clause 6.4 are to be reordered into a more logical order.

There has been little change to the scope, however, the introduction has been shortened and simplified.

Finally, there will be either additional text or a diagram to explain the difference between combined, joint and integrated audits.

Next steps

Due to the nature and extent of the proposed changes, the joint working group’s preference was to produce a CD2 for National Body comment instead of going straight to DIS. When ISO was approached for permission, however, they indicated that this was out of the question based on the size of the positive vote for the original CD.

Accordingly, the dispositioned comments accepted at Milan, along with the joint working group’s own agreed amendments to the CD text, will now need to be worked up into a DIS which will then be put out to ballot in about a month’s time.

A word of caution

At this time, ISO 19011 is still in a state of transition. While this position statement reflects the contents of the standard, at this point in time it is highly likely that future meetings will amend the current text further. Consequently, this update is provided ‘for information only’.

Attribute to original publisher/ publishing organization: Richard Green, CQP MCQI, is the CQI representative for ISO 17021-3, ISO 19011 and ISO 45001 and managing director of Kingsford Consultancy Services. https://www.quality.org/knowledge/update-iso-19011-guidance-auditing-management-systems