Exploring the revised ISO 19011:2018
The new standard places emphasis on risks, opportunities and auditor competence.
Have you ever wondered why auditors are often referred to as the backbone, ears and eyes of top management? This is because the auditors can provide a diverse and independent appraisal of an organisation’s operations and activities.
The third edition of ISO 19011:2018 Guidelines for auditing management systems has been revised and published by the International Organisation for Standardisation (ISO). It replaces the second edition of 2011.
The Organisation says that the ISO 19011:2018 standard “provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process”.
The standard is based on the following guiding principles:
1. Integrity: the foundation of professionalism;
2. Fair presentation: the obligation to report truthfully and accurately;
3. Due professional care: the application of diligence and judgement in auditing;
4. Confidentiality: security of information;
5. Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions;
6. Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process;
7. Risk-based approach: an audit approach that considers risks and opportunities.
There are numerous key changes that appear in the revised ISO 19011:2018.
Addition of the risk-based approach to the principles of auditing
The previous edition of ISO 19011:2011 had suggested taking into consideration the adoption of a risk-based approach, but did not provide much clarity. This time around, appreciation of the risk-based approach will essentially be a critical determinant when scheduling, conducting and reporting of audits.
This will prompt auditors to overcome the dilemma of hastily jumping into auditing without familiarising themselves with the means that management uses to control their functions.
Expansion of the guidance on managing an audit programme, including audit programme risk
Managing an audit programme is an overwhelming task. It requires taking into consideration activities to be reviewed, allocation of resources and the audit methodology to follow. It also needs to allow for surprises and risks that might derail the effective implementation of the programme.
Audit programme risks and opportunities may differ from one organisation to another. Hence, these risks and opportunities will influence the scope of the audit and the attainment of audit objectives.
A practical approach is to conduct a risk assessment, so as to identify potential risks to the audit lifecycle, decide on what controls to implement to mitigate these risks and report back to management.
As shown in figure 1, clause 5.3: Determining and evaluating audit programme risks and opportunities, forms part of audit programme process.
Expansion of the guidance on conducting an audit, particularly the section on audit planning
The previous guidance on conducting an audit has received a significant revision. In sub-clause 220.127.116.11: Risk-based approach to planning: “The audit team leader should adopt a risk-based approach to planning the audit based on the information in the audit programme and the documented information provided by the auditee.”
As you can imagine, the bar is being raised higher and higher for internal auditors. The unquestionable fact is that professional judgement will need to be given a good shot by the auditors.
Expansion of the generic competence requirements for auditors
Looking back to the first edition ISO 19011 (published in 2002) auditor competence was geared towards quality and environmental management systems.
There has been a significant improvement on what constitutes essential competencies that management-systems auditors need to possess or acquire. I am a strong advocate for continual development. Hence auditors need to continually upskill and remain relevant while adding value to their clients.
Management-systems training providers and personnel certification bodies need to be able to put emphasis on ISO 19011:2018, Clause 7: Competence and evaluation of auditors, in which it is noted that passing the relevant lead auditor examination and compiling audit log sheets will not be adequate. As mentioned, the bar is being set higher and higher for auditing professionals.
Additional terms and definitions
Additional terms and definitions related to audit evidence, joint audits, requirements, processes, performance and effectiveness have been included into the revised standard.
Removal of the annex containing competence requirements for auditing-specific management-system disciplines
In the previous ISO 19011:2011, Annex A (informative) section was a “guidance and illustrative examples of discipline-specific knowledge and skills of auditors when auditing transportation safety, environmental, quality, records, resilience, security, preparedness and continuity, information security, occupational health and safety management systems”.
However, in the revised ISO 19011:2018, the above Annex has been replaced with “Annex A (informative) Additional guidance for auditors planning and conducting audits”. The rationale is that it is not realistic to list all the relevant competencies given the increase in various management-system standards.
Expansion of Annex A in ISO 19011:2018
If we take into consideration that revised ISO 9001:2015 Quality managements, ISO 14001:2015 Environmental management, ISO 45001:2018 Occupational health and safety management systems as well as other standards, are based on the ISO High Level Structure (HLS), guidance on how to audit organisational context, leadership and commitment was long overdue.
The good news is that these have been included into ISO 19011:2018, together with virtual audits, compliance and supply chain.
The ISO 9001 Auditing Practices Group is also good source of methods and techniques (in the form of guidance papers) on how to audit various elements, for example, in the quality-management system.
Will the revised ISO 19011:2018 meet our expectations? The timing of the revision and publication of the guidelines for auditing management systems is perfect. Entry-level management-systems auditors and training service providers will find that the revised standard is practical and features additional guidance and some clarity on often challenging concepts such as risks and opportunities.
Last but not least, it is a great form of a refresher for experienced auditors, and helps management to know what to anticipate during and after the audits.