ISO 19011:2018 – Guidelines for auditing management systems was published last week. The standard applies to organisations that need to conduct internal or external audits of management systems and manage audit programmes. The standard covers:
- The principles of auditing;
- Managing an audit programme;
- Conducting management system audits;
- Guidance on evaluating the competence of personnel involved in the audit process.
All new management system standards including ISO 9001, ISO 14001, ISO 27001 and ISO 45001 are based on Annex SL format and terminology. Annex SL was developed to ensure that all future ISO management system standards share a common format irrespective of the specific discipline to which they relate.
Annex SL prescribes a high-level structure, identical core text, and common terms and core definitions and greatly facilitates the integration of management systems. As a result of the introduction of these new standards, there is a need to consider a broader approach to management system auditing, as well as providing guidance that is more generic in nature. Audit results can provide input to the analysis aspect of business planning and can contribute to the identification of improvement needs and opportunities.
Planning is an integral part of all management systems. Effective planning is concerned with prevention by identifying, eliminating and controlling hazards and risks.
Annex SL requires that when planning for any management system (clause 6.1), the organisation should take into account the following:
- The organization and its context (clause 4.1);
- The needs and expectations of interested parties (clause 4.2);
- The scope of the management system (clause 4.3).
Planning should be proportionate to the level of risk identified and this principle resonates with ISO 19011.
The main changes introduced by ISO 19011:2018 are as follows:
- Addition of the risk-based approach to the principles of auditing;
- Expansion of guidance on managing an audit programme, including audit programme risk;
- Expansion of the guidance on conducting an audit, particularly the section on audit planning;
- Expansion of the generic competence requirements for auditors;
- Adjusted terminology to reflect the process approach to auditing;
- Removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would be impractical to include competence requirements for all disciplines);
- Expansion of Annex A to provide guidance on auditing (new) concepts such as organizational context, leadership and commitment, virtual audits, compliance and supply chain.
The standard provides guidance for all sizes and types of organisations and audits of varying scopes and complexities, including those conducted by large audit teams, typically of larger organizations, and those by single auditors, whether in large or small organisations. The guidance should be adapted as appropriate to the scope, complexity and scale of the audit programme.
The standard concentrates on internal audits (first party audits) and audits conducted by organisations on their external suppliers and other external interested parties (second party audits). The standard is also useful for external audits conducted for purposes other than third party management system certification. ISO/IEC 17021-1 provides requirements for auditing management systems for third party certification and ISO 19011 can provide useful additional guidance.
ISO 19011:2018 does not follow the annex SL model but does have a risk-based approach. It contains the following main clauses:
- Clause 4 describes the principles on which auditing is based. These principles help the user to understand the essential nature of auditing and are important in understanding the guidance set out in clauses 5 to 7;
- Clause 5 provides guidance on establishing audit programme objectives, determining and evaluating audit programme risks and opportunities, and implementing, monitoring, reviewing and improving the audit programme;
- Clause 6 provides guidance on initiating the audit, preparing and conducting audit activities, preparing and distributing the audit report, completing the audit and conducting audit follow-up;
- Clause 7 provides guidance on determining auditor competence, establishing auditor evaluation criteria, selecting appropriate auditor evaluation methods, conducting auditor evaluation and maintaining and improving auditor competence.;
- Annex A provides additional guidance for auditors planning and conducting audits.
An audit can be conducted against a range of audit criteria, separately or in combination, including but not limited to:
- requirements defined in one or more management system standards;
- policies and requirements specified by relevant interested parties;
- statutory and regulatory requirements and other requirements;
- one or more management system processes defined by the organisation or other parties;
- management system plans relating to the provision of specific outputs of a management system (e.g. quality plan, project plan, etc.).
A new seventh principle of auditing has been added to Clause 4 to complement existing principles of integrity, fair presentation, due professional care, confidentiality, independence and evidence-based approach, which are inherited from the 2011 version of the standard. Auditors will now be expected to employ a ‘risk- based approach’ in order to substantively influence the planning, conducting and reporting of audits such that audits are focused on matters that are significant for the auditee and for achieving the audit programme objectives.
Clause 5: Managing the audit programme now requires that consideration be given to the organisation’s identified risks and opportunities and the actions taken to address them when preparing the audit programme.
Clause 5.3 Determining and evaluating audit programme risks and opportunities states that there are risks and opportunities, and internal and external issues associated with an audit programme that can affect the achievement of its objectives. The person managing the audit programme should present to management the risks and opportunities considered when developing the audit programme and its resource requirements.
Annex A, ‘Additional guidance for auditors for planning and conducting audits’ has been expanded to include the following auditing topics:
- 1 Applying audit methods
- 2 Process approach to auditing
- 3 Professional judgement
- 4 Performance results
- 5 Verifying information
- 6 Sampling
- 7 Auditing compliance within a management system
- 8 Auditing context
- 9 Auditing leadership and commitment
- 10 Auditing risks and opportunities
- 11 Life cycle
- 12 Audit of supply chain
- 13 Preparing audit work documents
- 14 Selecting sources of information
- 15 Visiting the auditee’s location
- 16 Auditing virtual activities and locations
- 17 Conducting interviews
- 18 Audit findings
In summary, ISO 19011:2018 is a welcome addition to the auditing canon and should contribute to a substantial improvement in the conduct of management system and other audits.
