Report
ISO 19011:2018
Understanding Under standing the International Standard
Ideagen provides software and expertise to help the wor ld’s leading brands br ands to improve efciency, efciency, prevent undesirable events and ensure compliance by managing quality, safety, audit and every aspect of operational risk.
With over 4,000 customers in more than 90 countries, Ideagen’s products and services are at the forefront of quality, safety, risk, operational performance and compliance management for some of the world’s best-known organizations including PwC, Heineken, NHS, Emirates and Har Harvard vard University Universit y. Ideagen is dedicated to promoting enterprise-wide quality management through compliance with standard such as ISO 9001 and many more.
© 2018 Chartered Quality Insitute. All Rights Reserved
Contents 1. Foreword by Ideagen
3
2. Introduction
4
3. Message from Denise Robitaille
7
4. Executive summary
9
5. Interpretation and comment
10
6. Clause by clause evaluation
11
Foreword
11
Introduction
11
1. Scope
12
2. Norma Normative tive References
12
3. Terms and Denit Denitions ions
13
4. Principles of Auditing
13
5. Managing an Audit Programme
14
6. Conducting an Audit
26
7. Competence and Evaluation Of Auditors
40
ISO 19011:2011 Annex A (Informative)
48
ISO 19011:2018 Annex A (Informative) - Additional guidance for auditors planning and conducting audits
49
Bibliography
7. Implications for specific audit roles
61
8. Conclusion
65
9. ISO 19011:201 19011:20111 vs ISO 19011:2018 clause comparison
67
10. Acknowledgements
72
www.quality.org | 1
2 | ISO 19011:2018 | Understanding the International Standard
1. Foreword by Ideagen The release of ISO19011:2018 highlights the emergence of the “business focused auditor.” Gone are the days of the auditor being a detached observer, policing processes and procedures. Today’s auditors are relied upon by their businesses to focus on what is important. Auditors are now leading conversations with senior management about areas of risk and the reasons why the business is not meeting its objectives. Ideagen has partnered with audit professionals for over twenty years, supplying the technology required to manage the complexity that an audit programme demands. The discipline has matured in that time, along with the management systems themselves, but the pace of change has accelerated rapidly in the previous few years. We have seen audit professionals proactively adopt a far more strategic audit methodology where the risk assessment process is the key driver of the audit plan. Audit departments are maintaining an up-to-date view of overall risk levels across the organization, becoming more agile in their approach to target the areas of real concern.
and gives less mature organizations a worthy standard to aspire to. Regardless of maturity, the nature of risk is evolving, bringing new challenges. The nature of risk is evolving to include digital business, increasing ownership of supply chain risk and an assurance remit over increasingly focused management systems. Whilst a rapidly changing risk environment can be extremely daunting, adopting a risk-based perspective to audit planning and execution decreases organization risk by: • Improving the integrity of the organization • Identifying potentially signicant risks and issues in a timely manner • Holding management to account, and • Identifying and communicating improvement that would benet the organization.
ISO 19011:2018 will go a long way to support auditors of all maturity levels to adopt a business focus, proving that quality is about performance, not just conformance.
ISO19011:2018 reects the best practices that auditors have shown over the last few years;
www.quality.org | 3
2. Introduction Following its introduction in October 2002, ISO 19011 quickly established itself as the premier source of guidance for quality professionals whose roles encompassed management systems audit. Whereas the 2002 edition focussed solely on the audit of quality and environmental management systems, it became the de facto standard for auditors of all other disciplines. The 2011 edition recognised this, as does the latest 2018 edition, in providing guidance which is designed to be applicable to any type of management system audit, irrespective of technical discipline or whether the management system under examination is based on an ISO standard or otherwise. For those commissioning management system audits, those tasked with audit programme delivery, those engaged in planning, conducting and repor ting single audits and those who are subject to being audited this is the generic standard that establishes the framework within which management system audit activity typically takes place. ISO 19011 provides detailed guidance regarding; • Managing audit programmes • Planning and conducting management system audits • The competence of personnel involved in planning and conducting audits and how this can be evaluated.
Additionally, it outlines common terms and denitions relating to audit and identies principles which should govern the overall approach to audit. For those new to management system audit or those seeking to expand their existing understanding, ISO 19011:2018 also contains specic guidance on a range of related topics in an enhanced annex to the main standard. It is impor tant to remember that ISO 19011 is a guidance standard. As such, it does not contain requirements that organizations must meet, nor is it a standard that organizations can secure third party certication against. Its focus is instead orientated towards rst party audits (internal audits) and second party audits (audits conducted by organizations on external providers and other external interested parties). And while requirements for third party management system certication are contained within the ISO 17021-X series of standards, ISO 19011 is recognised as providing useful third part conformity assessment, or certication. For the Chartered Quality Institute (CQI) and International Register of Certicated Auditors (IRCA), the importance of ISO 19011 is immense. Over 70,000 delegates each year attend IRCA approved auditor training courses, all of which adopt ISO 19011 as the basis for their course criteria. There are also 10,000 IRCA certicated auditors registered against sector or standard specic schemes on this
4 | ISO 19011:2018 | Understanding the International Standard
standard. Additionally, the 10,000 CQI members are impacted by management system audit, either as auditors, audit clients, or auditees, and as such have a direct interest in how these audits are performed. While requirements standards such as ISO 9001, ISO 14001 and ISO 45001 tend to steal the limelight, ISO 19011 is arguably more important because it underpins them all. This is because effective audit provides an organization and its stakeholders with critical assurance based on clear evidence that these systems are delivering their intended outcomes. In the absence of assurance, uncertainty increases, condence diminishes, trust is lost. Audit also provides a means to detect developing issues, to limit damage, for root cause corrective action and an opportunity to address problems internally before they have a wider impact. But audit should not be just about ‘policing’ the business. First and second party audits should also be used to drive ongoing improvement, something which the 2018 edition of ISO 19011 emphasises throughout. It’s not by accident that all ISO management systems place considerable impor tance on the role of internal audit.
Purpose of this report This report provides a detailed review of the contents of the International Standard (ISO 19011:2018), explaining each clause in ‘plain language’ before moving on to consider the implications of the guidance from the perspective of specic stakeholders in the management system audit process. It is intended to assist both CQI members and IRCA auditors in aligning their audit activities to meet the revised and enhanced best practice set out in ISO 19011:2018.
Involvement of the CQI and IRCA ISO 19011:2018 was developed by ISO/PC 302, a committee to which the CQI and IRCA was awarded Category A liaison status in October 2016. This special recognition permitted the CQI and IRCA to attend plenary meetings of the Committee at all stages of the development process, from the production of the initial Committee Draft (CD) in November 2016 through to the Final Draft International Standard (FDIS) in December 2017. At each stage, the CQI and IRCA put forward comments and suggestions on behalf of its members in respect of what it believed the standard should contain. The most signicant of these inter ventions took place at the Draft International Standard (DIS) stage. Using CQI and IRCA standards commenting system (SCS) software, CQI and IRCA members registered over 120 comments on the proposed revision. As a result, CQI and IRCA members have had a material input into shaping the contents of ISO 19011:2018.
www.quality.org | 5
6 | ISO 19011:2018 | Understanding the International Standard
3. Message from Denise Robitaille Message from Denise Robitaille, Chair of ISO/PC 302, the committee that supervised the development of ISO 19011:2018 ISO 19011 – The Revision and Why It Matters The latest version of ISO 19011 has recently been released. It brings with it some signicant additions and some changes that reect how standards have evolved in the last decade.
A little history When ISO 19011 was rst conceived it was a joint venture between two technical committees TC 176 and TC207 with responsibility for quality management system standards and environmental management system standards, respectively. It resided in the por tfolio of TC176/SC3 ISO Technical Management Board recognized that the sphere of management system standards had mushroomed to more than 70 and that more sectors outside of ISO were making use of the guidance. TMB created a new PC to accommodate the broader scope of users. Why is this important? In the last few years we’ve seen the introduction of new management system standards dealing with occupational health and safety, information management and energy management. Also, the most popular standards underwent major revisions. PC302 was founded to reect the broader range of users. It has liaisons with many of the other ISO committees and sector specic organizations. Representatives from these liaisons engaged with PC302 bringing their valuable input and concerns. This resulted in a document that reected myriad users, increasing its relevance and reach around the globe.
What’s changed? Many organizations either choose or are required to implement and maintain multiple integrated management system schemes. Technology has changed, and with it the oppor tunity to conduct remote (or vir tual) audits. Consideration of risk has become endemic. And, ISO 9001 introduced the concepts of the context of the organization. Key changes in the 2018 version include the addition of a risk-based approach to the principles of auditing. There was a need to reect the enhanced focus on risk in both management standards and in the marketplace. Additionally, like any other process, auditing itself engenders cer tain risks.
www.quality.org | 7
There has been an expansion of guidance on managing an audit program, and planning and conducting audits. Due to the burgeoning number of management system standards, the language has been revised to be more generic – allowing for applicability across a broader range. Annex A (A.10) provides tips on auditing risks and opportunities while clause A.8 addresses challenges in auditing organizational context. Annex A (A.10) also introduces the concept of applying risk-based thinking to the audit process. Annex A (A.16) covers Auditing virtual activities and locations.
The good news ISO 19011:2018 continues to provide the guidance auditors have come to rely on. It facilitates the deployment of an internal audit program that reects multiple management system requirements. It addresses the enhanced focus on risk and gives great tips on the expanding practice of remote auditing. It provides consistency in the audit profession and is written in language comprehensible to all levels of users. Finally, it is the go-to document for anyone needing guidance on auditing.
8 | ISO 19011:2018 | Understanding the International Standard
4. Executive summary The CQI and IRCA is a global player in the world of management system audit, with its IRCA brand being widely recognised as representing the ‘gold standard’ for auditor cer tication and training. It is committed to ensuring that the highest standards of auditor competence, professionalism and integrity are implemented worldwide. The development of ISO 19011:2018 provided an opportunity for CQI and IRCA to successfully argue the case for improvements it believes are necessary to make management system audit t for the 21st century. With the support of the UK and other National Standards Bodies, many of these recommendations have been adopted. The most signicant changes incorporated into ISO 19011:2018 are; • adding a new seventh audit principle – Risk-based approach to audit • expanding the guidance on managing an audit progr amme, including audit programme risk • expanding the guidance on conducting an audit, particular ly in respect of audit planning • expanding the generic competence requirements for auditors • a focus on processes and not just outputs – e.g. audit planning, not audit plan, audit reporting, not audit report. • removing ISO 19011:2011’s Annex A – guidance and illustrative examples of discipline-specic knowledge and skills of auditors. • expanding ISO 19011:2011’s Annex B (now ISO 19011:2018’s Annex A) – ‘Additional guidance for auditors for planning and conducting audits’, to include guidance on a range of new concepts including but not limited to, auditing organizational context, auditing leadership and commitment, supply chain audit, virtual audits and auditing compliance.
www.quality.org | 9
5. Interpretation and comment
The interpretation and comments contained within this document are those of the CQI and IRCA. Other organizations may interpret this guidance differently. As such, this document should not be viewed as a denitive reference source for this International Standard; indeed, only documentation sourced directly from ISO/PC 302 can full this purpose.
10 | ISO 19011:2018 | Understanding the International Standard
6. Clause by clause evaluation This next section of this document sets out to: • simplify the language used in each clause of ISO 19011:2018 to make its meaning easier to understand; • identify whether the guidance provided in ISO 19011:2018 is new, is an amended version of the 2011 text, or whether it is taken directly from the 2011 edition of the standard • identify the implications of the 2018 guidance for stakeholder s such as audit programme managers, auditors, audit clients and auditees
Note: The CQI and IRCA is not permitted to reproduce the direct contents of the standard due to copyright restrictions. Those individuals who need access to the actual content of ISO 19011:2018 should make their own arrangements to source a copy of the standard directly from an authorised supplier.
ISO 19011:2018 – Guidelines for auditing management systems
Foreword The foreword to ISO 19011:2018 notes that this is a technical revision to the 2011 edition. This is important as it signals that the changes it contains are signicant. The main differences between the two editions are then listed. These are replicated in the executive summar y. The foreword recognises that the 2018 edition was prepared by Project Committee (ISO/PC 302) – Guidelines for auditing management systems. This represents a change in ownership; the 2011 edition was developed by Technical Committee (ISO/TC 176) - Quality management and quality assurance’. Finally, it conrms that the publication of ISO 19011:2018 replaces and automatically cancels ISO 19011:2011.
Introduction The standard opens by stating that, since the publication of the 2011 edition, a range of new and revised management systems standards have been published which share a common high-level structure, identical core requirements, and common terms and denitions based on the ISO Annex SL
www.quality.org | 11
requirements. This approach has presented a need for the new edition to provide audit guidance which is more generic, as opposed to the previous version which was discipline specic. The standard recognises the range of criteria against which audits may be conducted. These include requirements dened in one or more management system standards, policies and requirements specied by stakeholders, statutory or regulator y requirements, management system processes as dened by the organization or others, or quality plans/project plans. The standard notes that this list is not denitive and that a single audit may be conducted against one or several criteria. The guidance contained in the standard is also applicable to the use of combined audits and the audit of integrated management systems. There is a statement that the standard provides guidance which is intended for use by all organizations, irrespective of their size or type, and for audits of varying scopes and scales ranging from a single auditor in a small organization to a large audit team in a large organization. The guidance is intended to be exible and may be adapted by organizations to suit their own, audit-related programmes. While ISO 19011:2018 is primarily focussed on internal audits (rst par ty) and audits performed by organizations on external providers (second party), it also complements ISO/IEC 17021-1 Conformity assessment — Requirements for bodies providing audit and certication of management systems — Part 1: Requirements which is only applicable to certication (third party) audits. ISO 19011:2018 can also be used as guidance input for any organization which wishes to develop their own audit process. The standard can be deployed by organizations which contribute to the audit sector through training and personnel certication of auditors, such as CQI and IRCA. ISO 19011:2018 can be used by organizations for self-declaration, i.e. the organization can claim that it has adopted the guidance contained within the Standard and adheres to its principles, however organizations are not able to obtain accredited, independent certication to this effect.
1. Scope The scope of the applicability of this revision has not changed apar t from minor changes in terminology. The purpose of ISO 19011:2018 remains to provide guidance on auditing management systems. This includes guidance on the principles of auditing, managing an audit programme and conducting management system audits. The standard recognises that it is applicable for all organizations that have a requirement to ‘plan and conduct’ internal or external management system audits (previously just ‘conduct’), and that the guidance contained can be applied to other types of audit provided that organizations give special consideration to the specic competence required for such audits.
2. Normative References ISO 19011:2018 is intended to be used as a standalone document and does not need to be read in conjunction with any other standard (i.e. it has no normative references). In this respect it replicates ISO 19011:2011. 12 | ISO 19011:2018 | Understanding the International Standard
3. Terms and Denitions A number of the terms and denitions used within ISO 19011:2018 have been revised. Six new terms and denitions have been added to the 20 which appear in ISO 19011:2011 (combined audit, joint audit, objective evidence, requirement, process, performance) and several of the existing terms and denitions have been modied from the text in ISO 9000:2015 Quality management systems — Fundamentals and vocabulary . It should be noted that the denition of ‘audit’ itself has been revised – this now becomes ’a process for obtaining objective evidence’ (previously ‘a process for obtaining audit evidence’). There have also been signicant changes to the notes to entry. The structure of this clause has also been fundamentally changed, with a new ordering of the terms and denitions. Due to the extent and nature of these changes, those involved in audit should familiarise themselves with the revised terminology. The 2018 edition of the standard points readers to two websites where terms and denitions used in standardisation can be accessed for free – https://www.iso.org/obp and http://www.electropedia.org/
4. Principles of Auditing ISO 19011:2011 identies six principles of auditing, the ‘pillars’ on which effective audit is built. These are integrity, fair presentation, due professional care, condentiality, independence and an evidence-based approach. These are essentially unchanged but ISO 19011:2018 now adds a seventh principle – risk-based approach. This requires auditors to determine the effect of uncer tainty, positive or negative, on the overall audit process. Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty on the management system is greatest, i.e. those which are of most impor tance to the audit client. This approach also considers risks and opportunities that could affect the success of the audit programme’s achieving its objectives. This requires auditors to determine the effect of uncertainty, positive or negative, on the overall audit process. Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty on the management system is greatest, i.e. those which are of most importance to the audit client. This approach also considers risks that could affect the success of the audit programme in achieving its objectives. ISO 19011:2018 identies two reasons for adhering to these pr inciples. First, they are prerequisite to audit conclusions which are reliable and sufcient. Secondly, adopting them should enable auditors working independently of each other arrive at similar conclusions in similar circumstances. The wording of the existing principles remains largely unchanged with one important caveat added to the principle ‘Independence’ (e). This now advises that internal auditors should be independent from the function being audited ‘if practicable’. Formerly this was independence ’from the operating managers of
www.quality.org | 13
the function etc.’ This recognises that for small and medium sized enterprises, securing full independence from management may not always be practically possible and that the best that can be achieved is for the auditor to be impartial and objective despite any management connection. There has also been a change to the wording of the principle ‘Integrity’ (a). Auditors and individuals (previously ‘person(s)’ managing an audit programme should now act ethically, honestly and responsibly (previously ‘honestly, diligently and responsibly’) and must only undertake audit activities if they are competent to do so.
5. Managing an Audit Programme 5.1 General The guidance in the general coverage of audit programming has been revised extensively to reect the evolving nature of auditing. This includes the complexity introduced through outsourcing audited processes, and the deployment of risk-based thinking. ISO 19011:2018 advises that an audit programme should be established to include audits which address one or more management system standards or other audit requirements. These audits may be conducted separately or in combination (combined audit). In other words, no audit activity is too small nor too big to exclude the need for an audit programme. The extent of the audit program will depend on many factors. These include the size and nature of the auditee as well the nature, functionality, complexity, types of risks and oppor tunities and the level of maturity, of their management system(s). The design, planning and validation of the audit programme requires careful consideration, particularly where an organization operates in multiple sites and/or where important functions or processes are outsourced and managed by an external provider with related consequences for leadership decisions. When designing audit programmes, it is important to fully address the context of the auditee. Information will be required on their organizational objectives, external and internal issues, the relevant interests of their stakeholders and any specic information security and condentiality requirements pertaining to them that also need to be brought into the design consideration. The scope and extent of this consideration of context is new. The individual(s) managing the audit programme is responsible for ensuring that the integrity of the programme is maintained and that undue inuence is not exerted over any part of the audit process. Note that the audit programme may be manged by a team, not necessarily an individual.
Audit resources should be directed to those areas of the management system which carry the most risk to its performance or where its performance differs from what is desired (previously ‘matters of signicance within the management system’).
14 | ISO 19011:2018 | Understanding the International Standard
The extent of information needed in the audit programme has been enhanced in ISO 19011:2018. The information contained within the programme should now include audit programme objectives, the scope of each individua audit contained within the programme, the audit criteria to be used, audit methods to be employed, and the audit type (i.e. internal or external). In addition, the programme should include a schedule showing the number, duration and frequency of planned audits, any risks and opportunities associated with delivering the programme, the criteria used for selecting audit team members, plus any other relevant documented information. More emphasis has been placed on monitoring and measuring the implementation of the audit programme by suggesting it should be done on an on-going basis to ensure the audit programme objectives are being achieved and to identify both the need for changes to the audit programme and possible opportunities for improving the programme. The audit programme process in the context of applying the Plan, Do, Check, Act cycle has been extensively reworked, as shown in Figure 1, to better reect the str ucture of the revised standard.
5.2 Establishing audit programme objectives In ISO 19011:2011 top management was responsible for ensuring audit programme objectives were established and that the audit programme was being implemented effectively. This responsibility now widens out to the audit client in general. In ISO 19011:2018, audit programme objectives should be consistent with the audit client’s strategic direction, as well as suppor ting their management system policy and objectives. The list of considerations on which objectives should be based has been extensively revised, primarily to reect the Annex SL changes. The standard now suggests that the following should all be considered when setting programme objectives; • stakeholder needs and expectations • the characteristics of and requirements for processes, products, services and projects (and any changes to them) • management system requirements • the need to evaluate external providers • the auditee’s level of performance • the auditee’s levels of risk and opportunity • the maturity of their management system(s) • the results of their previous audits.
ISO 19011:2018 provides examples of audit programme objectives. These examples have been revised from those appearing in the 2011 edition, adopting Annex SL terminology.
www.quality.org | 15
16 | ISO 19011:2018 | Understanding the International Standard
5.3 Determining and evaluating audit programme risks and opportunities INTERPRETATION: ISO 19011:2018 refers to ‘determining and evaluating’ audit programme risk’, compared with ‘identifying and evaluating’ in the 2011 version, i.e. a call for a more considered approach. It explicitly references the need to determine oppor tunities as well as risks. The individual(s) managing the programme should now present to the audit client the risks and opportunities they have determined during the development of the audit programme along with the programme’s associated resource requirements, presumably to ensure accuracy. Note that in the 2011 edition, audit programme risks did not need to be communicated back to the client.
This sub-clause then sets out examples of audit programme risk. This has been updated and expanded upon from that which appears in ISO 19011:2011. Examples of audit programme improvement opportunities are provided also. These are new and include; allowing multiple audits to be conducted at a single site visit, minimising travel time/distance to the audit location, matching the level of competence needed for the audit to that of the audit team sent, and aligning audit dates with the availability of the auditee’s key staff. Such improvements are designed to ensure maximum efciency and effectiveness of the audit process.
5.4 Establishing audit programme 5.4.1 Roles and responsibilities of the individual(s) managing audit programme The role and responsibilities of the individual(s) managing the audit programme has substantively changed both in respect of their duties and who they should report to. Note: ISO 19011:2018 uses the term ‘individual(s)’ as opposed to the 2011 edition version which uses person(s).
When establishing the extent of the audit programme the individual(s) concerned should bear in mind the programme objectives including any limitations which may need to be considered. The 2011 edition simply called for the extent of the programme to be established, it did not add any caveats. The individual(s) managing the audit progr amme should also; • determine any internal or external risks and opportunities that could impact the programme (previously just ‘the risks’) and should implement actions to address these (previously simply evaluating them was sufcient) by integrating them into relevant audit activities.
www.quality.org | 17
• ensure audit teams are selected such that they possess the overall competence necessary to carry out the required auditing activities. The individual(s) managing the audit programme can achieve this by assigning roles, responsibilities and authorities and by supporting audit team leaders as required. • establish all relevant processes within the audit programme (previously ‘procedures’) including for the coordination and scheduling of audits, for establishing audit objectives, scopes and criteria for audits, for determining audit methods, for selecting audit team members and for evaluating a uditors. • establish internal and external communications processes, dispute resolution and complaint handling, audit follow-up (if applicable), and audit reporting to the audit client and other relevant interested parties. • determine (and now also ‘ensure’) provision of the resources necessar y to deliver the audit programme. • ensure appropriate documented information (previously ‘records’) are prepared (previously ‘managed’) and maintained, including audit programme records. • monitor, review and improve the programme. • communicate the programme to the audit client (previously ‘top management’) and to other relevant interested parties as may be appropriate.
Finally, the individual(s) managing the programme should seek approval for the programme from the audit client. In the 2011 edition approval was sought ‘where necessary’ from ‘top management’.
5.4.2 Competence of individual(s) managing audit programme There have been some important additions to the competence of individual(s) managing the audit programme. As well as the necessary competence to manage audit programme risk, ISO 19011:2018 highlights the need for competence in realising audit programme opportunities and in dealing efciently and effectively with any identied internal and external issues which can adver sely impact the programme. A knowledge of audit principles, processes (previously procedures) and methods is still recommended, as is knowledge of management system standards, other relevant standards, and relevant reference and /or guidance documents. Additionally, the individual(s) managing the audit programme should have knowledge of the auditee’s context and business activities, in addition to their processes, products and services. They should also have knowledge of any statutory or regulator y requirements (previously ‘legal’) or other requirements relating to the auditee’s business functions. Newly added is the recognition that individual(s) may need knowledge of risk management, project and process management, and of information and communications technologies, necessary for them to perform their audit programme management role. The 19011:2011 recommendation that the individual(s) managing the audit progr amme should engage in continual professional development (CPD) to maintain the knowledge and skills necessar y to manage audit programmes is carried forward into the 2018 edition.
18 | ISO 19011:2018 | Understanding the International Standard
5.4.3 Establishing extent of audit programme The factors that could inuence the extent of an audit programme which appear in ISO 19011:2011 are supplemented by management review outputs, downstream supplier issues, and business risk management issues. The other factors remain essentially the same, albeit with subtle revisions to their wording. It is again noted that an audit ‘programme’ could consist of a single audit, e.g. an audit of a specic project or of a specic supply contract. Additionally, it is noted that the extent of the audit programme can also var y depending on the level of information provided by the auditee in respect of its context. Where little information is provided, uncertainly is higher and, as a result, the programme could be more extensive.
5.4.4 Determining audit programme resources The individual(s) managing the audit progr amme should determine (previously ‘identify’) the resources necessary to successfully deliver the programme. The standard provides a list of considerations which has been expanded to include the impact of different time zones; the availability of any required specialist tools, technology or equipment; the availability of any required documented information; and requirements relating to the auditee’s facility, including security clearances and equipment.
5.5 Implementing audit programme 5.5.1 General An introductory paragraph has been added which states that once the audit programme has been fully established in line with 5.4.3 and 5.4.4, it is necessary to move on to the operational planning and management stage. Responsibility for this still resides with the individual(s) managing the audit programme however their duties have been expanded. ISO 19011:2018 states that they should communicate relevant parts of the audit programme, including the risks and opportunities involved, to relevant interested parties. They should also periodically inform those interested par ties of the programme’s progress ‘using established external and internal communication channels’. The individual(s) managing the programme are also tasked with selecting the audit methods to be used. There is useful additional guidance on this subject in Annex A (A.1). They should provide the necessar y ‘individual(s) and overall resources’ (previously just ‘resources’) to the audit team and should manage all operational risks, opportunities and issues as they arise during the audit programme’s deployment. Additional new responsibilities include dening and implementing the necessary operational controls to allow the audit programme’s delivery to be monitored, and the review of the audit programme to identify any oppor tunities for improvement. These issues are covered more fully later in the standard.
5.5.2 Dening the objectives, scope and criteria for a single audit As previously, the revised standard deals with the requirements for setting up a single audit within the audit programme. A number of subtle but impor tant changes have been made.
www.quality.org | 19
ISO 19011:2011 advised that each ingle audit should be based on documented audit objectives, scope and criteria. The recommendation to document is removed from this sub-clause in ISO 19011:2018 which simply calls for the objectives, scope and criteria to be ‘dened’. The 2011 edition explicit identies the denition of objectives, scope and criteria as the responsibility of the person managing the programme. This text has been removed from sub-clause 5.5.2 in the 2018 edition. The audit objectives now need to consider the context and strategic direction of the auditee, the effectiveness of the management system in setting and delivering its objectives and its effectiveness in dealing with risks and opportunities. Further useful guidance on auditing context is given in Annex A (A.8). ISO 19011:2018 reminds us that the audit scope should be consistent with both the audit programme and the audit objectives, and that conformity or otherwise should be determined against the audit criteria. These statements are mostly unchanged from ISO 19011:2011. Audit criteria can now include information provided by the auditee on context, risks and oppor tunities faced by the organization. If the audit objectives, scope or criteria change, the audit programme should be revised. New for the 2018 edition is the explicit recommendation that the revised programme should then be recommunicated to relevant interested parties for approval, if this is appropriate. When two or more management systems of different disciplines are audited together (referred to as a combined audit) the audit objectives, scope and criteria for each discipline must be mutually consistent. The 2018 edition recognises that, when conducting combined audits, there may be instances where the audit scopes for different disciplines are not the same i.e. the audit boundaries for one discipline, e.g. environment, could encompass the entire organization whilst for another discipline they may be restricted to a subset of dened processes of the organization e.g. quality. This is new text which does not appear in ISO 19011:2011.
5.5.3 Selecting and determining audit methods When selecting the methods to be used to conduct the audit, the individual(s) managing the audit programme should consider not just the method’s effectiveness but also its efciency, based on the audit objectives, scope and criteria. The 2018 edition suggests that the use of methods should be ‘suitably balanced’ and based on considerations including each method’s associated risks and oppor tunities. Further guidance on the variety of audit methods which might be employed is given in Annex A (A.1). As was the case for ISO 19011:2011, the 2018 edition states that in instances where two or more organizations are to conduct a joint audit of the same auditee, the individual(s) responsible for managing each programme should jointly agree the audit methods to be employed. They should also consider the implications of joint-working for audit planning and resourcing. In cases where the auditee operates two or more management systems of different disciplines, ISO 19011:2018 recognises that combined audits may be included in the audit programme.
5.5.4 Selecting audit team members There is no change from the 2011 edition in respect of the individual(s) managing the audit programme being responsible for appointing the audit team leader, members of the audit team and any technical 20 | ISO 19011:2018 | Understanding the International Standard
experts. When making this selection they must consider the collective competence of the team required to achieve the objectives of the single audit, within the audit’s dened scope. An audit ‘team’ may consist of just one auditor who should perform all the duties associated with the audit team leader role. Both ISO 19011:2011 and ISO 19011:2018 contain text relating to the steps to be taken by the individual(s) managing the audit programme to assure the overall competence of the team. These steps include initially identifying the competence needed to achieve an audit’s objectives, followed by the selection of audit team members who can demonstrate these areas of competence. The considerations for deciding the size and composition of the audit team for a specic audit that appear in the 2011 version have been subject to some change. The most impor tant of these is ‘the need to ensure independence from the activities being audited’ has been replaced in ISO 19011:2018 with ‘ensuring objectivity and impartiality’. Those selecting audit team leaders and members should be cognisant of potential conicts of interest. The standard identies the need to interact effectively not just with the auditee but also ‘with other interested par ties’. These could include trainee auditors, appointed observers, interpreters and consultants. Another important addition to the 2018 edition is the recommendation that the type and complexity of the processes to be audited should also be a consideration during team selection. The ISO 19011:2011 recommendation that technical experts operate under the direction of an auditor has been removed from this sub-clause in the 2018 edition. Technical experts with their additional competence are recognised as a support for the team, and not as team members with auditing responsibilities. The team leader should direct the use of technical exper ts. Both the 2011 and 2018 versions note that auditors in training may be included in the audit team, however they should operate under the direction of a competent auditor. Both editions also recognise that the membership of the audit team may need to be changed during an audit should a competence issue or a conict of interest come to light. Consultation with all relevant parties should take place prior to such change. New for 2018 is an explicit recommendation that the individual(s) managing the audit programme should consult the audit team leader in respect of audit team composition, where appropriate.
5.5.5 Assigning responsibility for a single audit to the audit team leader As is the case for the 2011 edition, ISO 19011:2018 recommends that the individual(s) managing the audit programme assigns responsibility for each single audit contained within the audit programme to an audit team leader (often described as the Lead Auditor). This should be done sufciently in advance of the scheduled audit date to permit effective planning. The information to be made available to the audit team leader is similar in the 2018 edition to that which appears in the 2011 edition. This includes information relating to audit objectives, criteria, scope and methods, composition of the team, contact details for the auditee, the audit location(s), dates and durations, as well as details of the resources that are being allocated to the audit. This information will
www.quality.org | 21
usually be sourced from the audit programme and should now include any information which the audit team leader needs to deliver an effective audit while working with the auditee. Carried over from the 2011 edition is the recommendation to provide the audit team leader with information relating to risks (and now opportunities) associated with meeting the audit objectives. The assignment information provided to the audit team leader should also include details relating to the working and repor ting language of the audit and details as to whom the audit repor ting output (previously ‘audit repor t) is to be provided. It should also include applicable matters relating to condentiality, information security, security and authorisations, follow ups from previous audits, and any pertinent information relating to the coordination of other audit activities such as joint audits. New for 2018 is the need for communication of information relating to health, safety and environmental arrangements (previously ‘health and safety requirements’) for auditors as well as any requirements for travel to or access of remote sites. The importance of reaching agreement on the respective responsibilities for each organization involved in a joint audit (where two or more par ties audit together) is carried across from the 2011 edition. This should be achieved before the joint audit is performed. In particular, the authority of the appointed audit team leader should be agreed with all parties in advance of audit beginning.
5.5.6 Managing audit programme results Once a single audit within the audit programme has been concluded and produced results, the individual(s) involved in audit programme management have further responsibilities. ISO 19011:2018 uses the term ‘results’ whereas the 2011 edition refers to ‘outcomes’. This may seem like semantics but ‘results’ may more accurately describe the outputs from an evaluation process such as an audit. Added for 2018 is the recommendation that the individual(s) managing the audit programme should ensure that an evaluation of the achievement of the objectives for each audit takes place within the context of the audit programme. They should also ensure the review and approval of audit reports in respect of the fullment of each single audit’s scope and objectives. The distribution of audit repor ts to ‘top management and other interested parties’ simply becomes ‘to relevant interested par ties’. The 2018 revision deletes the need for a review of root cause analysis and the effectiveness of corrective and preventive action. This is replaced with a review of the effectiveness of actions taken to address the audit ndings. This change removes any doubt about the auditor’s involvement in determining the root cause of a nonconformity which is the responsibility of the auditee. New for 2018 is the suggestion that the individual(s) managing the audit programme should consider communicating the audit results and any identied best practice to other areas of the organization and that they should also consider the implications of the audit results for other processes operating within the organization.
22 | ISO 19011:2018 | Understanding the International Standard
5.5.7 Managing and maintaining audit programme records Minor changes have been made to the process of managing audit records. As for 2011, processes should be established to ensure that any condentiality requirements associated with audit progr amme records are properly addressed. The 2018 edition additionally calls for ensuring any information security needs relating to audit programme records are met through established processes. The listing of typical records has been revised. These are still broken down into three categories; • records related to the audit programme • records related to single audits • records related to the audit team (previously ‘audit personnel’).
In respect of the audit programme, ‘schedule of audits’ has been added as a new entry and ’documented audit programme objectives’ becomes simply ‘audit programme objectives’. ‘Records addressing risk’ becomes ‘records addressing risk and oppor tunities, and relevant external and internal issues’, whilst ‘records reviewing audit programme effectiveness’ remains unchanged. In respect of records relating to single audits, ‘audit plans’ and ‘audit repor ts’ are carried across from the 2011 edition as are ‘nonconformity repor ts’. Records of ‘corrections and corrective action repor ts’ and ‘audit follow up repor ts’ are included. Note that any doubt about the applicability of follow up reports has been removed. New in the 2018 edition is the inclusion of records relating to ‘objective audit evidence and ndings’.
In respect of records relating to the audit team at audit programme management level, the 2011 recommendations of records which evidence audit team members’ competence and performance, and the maintenance and improvement of competence appear once more in the 2018 edition. The 2011 ‘selection of audit teams and team members’ has been expanded to ‘criteria for the selection of audit teams and audit team members and the formation of audit teams’. As before, ISO 19011:2018 states that audit records should contain sufcient detail to demonstrate that the objectives of the audit programme have been achieved.
5.6 Monitoring audit programme This sub-section provides further guidance on the previously stated responsibility of the individual(s) managing the audit programme to ensure that an evaluation takes place in respect of whether the audit schedule is being met, and whether the audit programme objectives are being achieved.The performance of the entire audit team and any technical experts should also be evaluated, as should the ability of the audit team to implement the audit plan. These recommendations are consistent with the 2011 edition.
www.quality.org | 23
The individual(s) responsible for managing the audit programme should also evaluate feedback from audit clients (previously ‘top management’), auditees, auditors, technical exper ts (new for 2018), and other relevant interested parties. To this guidance, the 2018 edition adds that audit programme management should consider whether the documentation applicable to the whole audit process is suitable for the purpose intended. As was the case for the 2011 edition, the 2018 edition recognises that cer tain factors may require the audit programme to be modied. These may include audit ndings, the demonstrated level of the auditee’s management system’s effectiveness, changes to the auditees management system, changes to standards to which the organization is committed and changes to external providers (previously ‘suppliers’). To this list the 2018 edition adds changes to the demonstrated maturity of the auditee’s management system, changes to the effectiveness of the audit programme, changes to either an audit’s scope or the audit programme’s scope, identied conicts of interest and changes to the audit client’s requirements.
5.7 Reviewing and improving audit programme In addition to the audit programme being reviewed by audit programme management, ISO 19011:2018 suggests that the audit client should also be involved. It also states that the outcome from this review should be used to fur ther improve the audit programme, as in the 2011 version. The individual(s) managing the audit programme should still also review the continual professional development of auditors in accordance with clause 7.6 (previously ‘7.4, 7.5 and 7.6’) of the standard. The review itself should consider ; • results and trends identied as a result of monitoring the audit programme • conformity with audit programme processes (previously ‘procedures’) and relevant documented information • the evolving needs of relevant interested parties (previously ‘interested parties’) • audit programme records • alternative or new auditing methods • the effectiveness of actions taken to address risks and opportunities, and internal and external issues (previously ‘risks’) associated with the programme, and • condentiality and information security issues relating to the audit programme.
Subject to the minor wording revisions outlined above, this list remains the same as for ISO 19011:2011. The results of the audit programme review should now be reported to relevant interested parties (previously ‘top management’).
24 | ISO 19011:2018 | Understanding the International Standard
www.quality.org | 25
6. Conducting an Audit 6.1 General Regarding a specic audit, section 6 continues from the preparation activities outlined in 5.5.5 when the audit itself becomes the responsibility of the audit team leader. Clause 6.1 advises that Clause 6 provides guidance on preparing and conducting a specic audit (previously ‘audit activities’) as a part of an overall audit programme. Figure 2 (Typical audit activities) found in the 2011 edition has been deleted since the process ow of audit activities is illustrated in the context of the plan-do-check-act cycle in Figure 1. There is reference to a new Figure 2 (overview of a typical process of collecting and verifying information) which also appeared in 2011 as Figure 3. As in the 2011 edition, there is a reminder that the extent to which Clause 6 is applicable is dependent on the objectives and scope of each single audit.
6.2 Initiating audit 6.2.1 General ISO 19011:2018 maintains the recommendation that the appointed audit team leader retains responsibility for conducting the audit until the audit has been completed. ISO 19011:2018 again recognises that the sequence of audit activities found in Figure 1 can be varied depending on the auditee, their processes and/or the specic circumstances of the audit.
6.2.2 Establishing contact with auditee The word ‘initial’ has been dropped from the communication between the audit team leader and the auditee since earlier contact with the auditee is likely to have occurred. Arrangements with the auditee for conducting the audit remains an audit team leader responsibility. The list of matters to be discussed during these arrangements is essentially unchanged. The audit team leader should conrm the communication channels to be used and their author ity to conduct the audit. They should provide relevant information on the audit objectives, scope, criteria, methods and audit team composition, including details of any technical experts. The audit team leader should request relevant information to assist with the planning of the audit which now includes information on the risks and opportunities the organization has identied and how these are being addressed. In addition, the audit team leader should determine any applicable statutory and regulatory requirements (previously ‘legal requirements’) and other requirements relevant to the auditee’s activities, processes, products and services. They should conrm the date(s) for the audit and the necessary arrangements for access, health and safety, security and condentiality at the audit location(s).
26 | ISO 19011:2018 | Understanding the International Standard
Where there is an intention to use guides or observers, this should be agreed with the auditee. New for 2018 is the recommendation that agreement be sought in respect of any interpreters that may be required. The audit team leader should also determine any specic areas of interest, concern or (new for 2018) risk to the auditee, in relation to the audit. Finally, and also new for 2018, they should resolve any issues, including potential conicts of interest, regarding the composition of the audit team with the auditee and/or the audit client.
6.2.3 Determining feasibility of audit The text of clause 6.2.3 is essentially unchanged. The feasibility of carr ying out the audit should be determined in order to provide reasonable condence that the audit objectives can be achieved. Factors to be taken into consideration include whether there is sufcient and appropriate information available for planning and conducting the audit, whether there has been adequate cooperation from the auditee and whether adequate time and resources have been allocated to conduct the audit. This includes provisions for access to information and any information technology involved. If determined that it is not feasible to conduct the programmed audit, an alternative plan should be proposed to the audit client subject to the agreement of the auditee.
6.3 Preparing audit activities 6.3.1 Performing review of documented information Management system standards contain requirements for organizations to maintain and retain documented information as par t of the system. This important stage should allow the audit team to determine whether these requirements have been met or otherwise. Note that there is no guidance on who should conduct this stage or where it should be conducted. This review activity is sometimes referred to as par t of Stage 1 of an audit. Part of the purpose of conducting this review is to allow the audit team to become familiar with the auditee’s management system so that subsequent audit activities can be better planned.
The documented information examined should include (but not be limited to) management system documents and records and previous audit reports. The review should take into account the auditee’s context (this is new) and its size, nature and complexity. It should also take into account the auditee’s related risks and opportunities (also new), the audit scope, criteria (also new) and objectives. A new note is added in ISO 19011:2018 to advise that guidance on how to verify information is provided in Annex A (A.5). This replaces the guidance on how to conduct document review contained in Annex B.5 of the 2011 version.
www.quality.org | 27
6.3.2 Audit planning (previously ‘preparing the audit plan’). 6.3.2.1 Risk-based approach to planning The principal change to this sub-clause is that it is now focussed on an activity i.e. audit planning and not a product i.e. the audit plan. It also emphasises the need to adopt a risk-based approach in the audit planning process using the information available. Audit planning (previously ‘the audit plan’) should consider the risks (previously ‘the effect’) the audit activities pose to the auditee’s processes and should provide the basis for agreement between the audit client, audit team and auditee in respect of how the audit is to be conducted. Planning (previously ‘the audit plan’) should help to ensure that audit activities are efciently scheduled and coordinated. This will assist in achieving the audit objectives in an effective manner. The extent of the detail contained with an audit plan should be commensurate with the scope of the audit and its complexity, as well as the degree of uncertainty of the audit not achieving its objectives. When planning the audit (previously ‘when preparing the audit plan’) the audit team leader should consider the composition and overall competence of the audit team, which sampling techniques are appropriate, any opportunities to improve the effectiveness and efciency of the audit activities and any risks to the auditee arising as a result of the audit being conducted. Further useful guidance on sampling techniques is given in Annex A (A.6). ISO 19011:2018 notes that risks to the auditee (previously ‘organization’) may occur as a result of the presence of the audit team. These include the team adversely inuencing (previously just ‘inuencing’) the auditees arrangements for health, safety, environment and quality, and its products, services, personnel or infrastructure. For combined audits involving different management systems, specic attention should be paid to the interactions of operational processes and any potential competing objectives and prior ities. 6.3.2.2 Audit planning details The principle change to this clause is it is now focussed on an activity i.e. audit planning and not a product i.e. the audit plan although the guidance is lar gely unchanged from the 2011 version. This sub-clause highlights that the scale and extent of audit planning (previously ‘the audit plan’) is likely to differ between internal and external audits and between carrying out an initial audit and carr ying out subsequent audits. The sub-clause also notes that as an audit progresses there may be a need to deviate from the original plan. Audit planning (previously ‘the Audit Plan’) should be exible enough to accommodate the need to revise planned arrangements. Audit planning should address or reference; the audit objectives, the audit scope (including the identication of the organization, its functions and the processes to be audited) and the audit criter ia and any reference documented information (previously ‘documents’) to be used. It should also address
28 | ISO 19011:2018 | Understanding the International Standard
or reference both the physical and virtual locations where the audit will take place, along with audit dates, timings and durations for audit activities, including meetings with the auditee’s management. Also carried over from the 2011 edition is the need to address or reference the audit methods to be used, (which should include the extent to which sampling is required to obtain sufcient audit evidence). Note that the planned audit methods need to take any previous input from audit programme management (refer to 5.5.3) into account. The roles and responsibilities of audit team members, guides, observers and (new for 2018) interpreters, and the allocation of appropriate resources should be included. The allocation of appropriate resources should be based on consideration of the risks and oppor tunities (previously based on the ‘critical areas’ to be audited) ‘related to the activities that are to be audited’ (new).
Added to this list for 2018 is that audit planning should address the need for the audit team to become familiar with the auditee’s facilities and processes, for example by undertaking a tour of any physical locations or by reviewing information and communications technology. Very often the audit team leader and relevant team members will visit the audit location for audit planning purposes (referred to as a Stage 1 audit). As for 2011, audit planning should take into account (as is appropriate) the identication of the auditee’s representative(s) for the audit, the working and reporting language of the audit where this is different from the language of the auditor or auditee or both, the audit repor t topics, and any specic logistical and communications arrangements related to the audit location(s). Audit planning should also take into account any specic actions necessary to address risks to (previously ‘the effect of uncertainty on’) achieving the audit objectives, matters relating to condentiality and information security, follow up actions from previous audits ‘or other sources e.g. lessons learned, project reviews’ (new for 2018) and follow up activities to the planned audit and any necessary coordination with other audit activities, for example in the case of a joint audit. The result of audit planning should be the production of an audit plan which should be made available to the auditee. Any need to resolve any issues with the audit plan should involve the audit programme management if necessary (new for 2018).
6.3.3 Assigning work to audit team The text of this sub-clause is similar to that contained within the 2011 edition except that the audit team leader, as well as assigning responsibility for auditing specic processes, activities, functions or locations to their audit team members, should also, as appropriate, assign responsibility for decision making. This assignment should take place following consultation with the team. When deciding to whom to assign specic work, the 2018 edition identies the need for the audit team leader to take into account the ‘impartiality, objectivity and competence’ of auditors (previously ‘independence and competence’). The audit team leader should also seek to make the best use of their available resources regarding the roles of auditor s, auditors in training and any technical exper ts.
www.quality.org | 29
Audit team meetings (previously ‘briengs’) should be held by the audit team leader in order to allocate work and to determine whether any changes in responsibilities or existing work allocations are required. Ideally, the audit team should meet prior to the audit to ensure that team members are comfortable with their allocated tasks. As in the 2011 edition, changes to responsibilities and work allocations may be made during the audit to facilitate achievement of the audit objectives.
6.3.4 Preparing documented information for audit This clause has been updated in ISO 19011:2018 to cover the preparation of documented information for the audit (previously ‘work documents’). Relevant information, including that provided by the auditee, should be acquired and reviewed by audit team members prior to conducting the audit. This should be used to prepare work documents to be used for the audit such as physical or digital checklists (previously ‘checklists’), audit sampling details and audio-visual information (previously ‘forms’). Further guidance on preparing audit work documents is given in Annex A (A.13). The ISO 19011:2011 text highlighting that checklists should not restrict the extent of audit activities is carried over into the 2018 edition, as is the reminder that documentation information prepared for and resulting from the audit (previously ‘work documents, including records resulting from their use’) should be retained until the time that the audit is completed or the duration specied in the audit programme (previously ‘audit plan’). The 2011 edition recommendation that audit team members safeguard documented information (previously ‘documents’) containing condential or proprietar y information is retained in ISO 19011:2018.
6.4 Conducting audit activities 6.4.1 General This sub-clause reiterates that whilst audit activities are typically carried out in the sequence indicated in gure 1 (gure 2 in the 2011 edition) the sequence may be varied to suit the circumstances of a single audit.
6.4.2 Assigning roles and responsibilities of guides and observers In the 2018 edition, this sub-clause appears earlier than in the 2011 edition. In the 2011 edition the assigning of roles and responsibilities of guides and observers occurs three sub-clauses later (after conducting the opening meeting, performing document review while conducting the audit and communicating during the audit). Guides and observers may accompany the audit team. New for the 2018 edition is that this should be with approvals from the audit team leader, audit client and/or auditee if required, bearing in mind that this should be raised at the initial contact (refer to 6.2.2). Guides and observers should not inuence the conduct of the audit. If this cannot be guaranteed the audit team leader should be allowed to exclude them from cer tain audit activities.
30 | ISO 19011:2018 | Understanding the International Standard
If observers are to be present, any arrangements in relation to access (new for 2018), health and safety, environmental (also new for 2018), security and condentiality should be managed between the audit client and the auditee. Guides, appointed by the auditee, should assist the audit team under the direction of the audit team leader or (new for 2018) the auditor to whom they have been assigned. The guide’s duties have not changed and will typically include; identifying individual(s)s for inter view, conrming timings and locations, arranging access to specic locations, communicating location specic rules to the audit team and addressing any associated risks, witnessing the audit on behalf of the auditee and providing clar ication/ collecting information as needed without interfering with or inuencing the audit.
6.4.3 Conducting opening meeting The substantive content of this subsection remains essentially the same as before. The purpose of the opening meeting is to conrm all par ticipants (previously ‘parties’) agree with the audit plan, to introduce the audit team and their roles (previously ‘introduce the team’) and to ensure all of the planned audit activity can be performed. Both the auditee’s management and any individuals whose functions and/or processes are to be audited should be present at the opening meeting, if appropriate, and they should be given an oppor tunity to ask questions. The context of the opening meeting should be commensurate with its setting. It may be a formal affair, chaired by the audit team leader, with a set agenda and records of attendance being retained or it may simply consist of the audit team leader providing conrmation to management that an audit is being conducted and explaining the nature of the audit e.g. for an internal audit. Any other participants including observers, guides and (new for 2018) interpreters, should be introduced and their roles should be explained. The audit methods that will be employed in order to manage any risks to the auditee’s organization arising from undertaking the audit should also be identied. The opening meeting should also be used to conrm, as appropriate, the audit objectives, scope and criteria, the audit plan and other relevant arrangements with the auditee (such as the date and time of the closing meeting and any interim meetings), as well as the formal communication channels that will be utilised between the audit team and the auditee. Any change needed to the planned arrangements should be raised by the team leader. The language to be used during the audit may need to be conrmed at the opening meeting, so too the availability of resources and facilities needed by the audit team and any matter s relating to condentiality and information security. Necessary conrmations should also be sought in respect of relevant access, health and safety, security and other arrangements for the team and for activities on site which could impact the conduct of the audit. The audit team leader should additionally agree the arrangements to ensure that the auditee will be kept advised of the audit’s progress.
www.quality.org | 31
During the opening meeting, the auditee should be advised as to how the audit ndings will be reported and graded (if applicable), under what circumstances the audit may be terminated, and how they should deal with any possible ndings arising from the conducting of the audit. The auditee should also be made aware of any arrangements for providing feedback on the audit ndings or conclusions, including how to register complaints or appeals.
6.4.4 Communicating during audit This sub clause recognises that whilst conducting an audit, formal arrangements for communication between audit team members, the auditee, the audit client and/or external interested parties (previously ‘external bodies’) may need to be introduced, especially in instances where regulatory and statutory requirements (previously ‘legal requirements’) mandate the repor ting of non-conformities (previously ‘non-compliance’). In any event, the audit team leader should periodically coordinate team meetings in order to share information, assess progress and reassign work as may be required. During the conducting of the audit, the audit team leader should communicate the progress of the audit, any signicant ndings (added for 2018) and any concerns to both the auditee and t he audit client. If the evidence collected suggests an immediate and signicant risk, it should be repor ted without delay to the auditee and, as appropriate, the audit client. Agreement should then be reached between the parties as to what action it would be appropriate to take. Any concerns identied which fall outside of the scope of the audit should be noted and reported to the audit team leader, for possible communication to the audit client and auditee. Also, if the audit evidence indicates that the audit objectives cannot be realised, this should be communicated by the audit team leader to the audit client and auditee in order that they can determine necessary action. Examples of such action are revisions to audit planning, the audit objectives and/or audit scope and the termination of the audit. Any necessary changes to the audit’s planning which become apparent during the conducting of the audit should be reviewed and accepted (previously ‘approved’) by both the individual(s) managing the audit programme and the audit client (previously ‘the auditee’) and then communicated to the auditee.
6.4.5 Information availability and access This sub-clause advises that the audit methods chosen for an audit depend on the dened audit objectives, scope and criteria, as well as the audit’s duration and location. The Standard conrms that ‘location’ is where the information needed for a specic audit activity is made available to the audit team. This could be a physical or a virtual location (e.g. the Cloud) ISO 19011:2018 highlights that where, when and how to access information is cri tical to conducting an audit. These are independent of where the information is created, used or stored.
32 | ISO 19011:2018 | Understanding the International Standard
Audit methods which take into consideration the availability of and access to information need to be determined, and several different methods may need to be employed. Also, it may be necessary to modify the originally identied methods as a result of changing audit circumstances. Note that audit programme management has responsibility for selecting and determining the audit methods so should be consulted prior to any signicant changes.
6.4.6 Reviewing documented information while conducting audit The title of sub-clause 6.4.3 has been changed from ‘Performing document review whilst conducting the audit’. Essentially the text is unchanged, however references to documentation in the 2011 edition is replaced by references to documented information in the 2018 edition. Such information is likely to play a key role in the conduct of audit activities. This sub clause conrms that the auditee’s relevant documented information should be reviewed during the audit, in order to determine conformity of the auditee’s management system, (so as far the documentation permits), with the audit criteria, and to amass information to suppor t audit activities. Annex A (A.5) provides further guidance on the verication of information which may be used as objective evidence in an audit. The review of documented information can take place alongside other audit activities and can extend for the full duration of the audit providing it does not have a detrimental impact on the effective conducting of the audit e.g. by taking up time which delays the audit progress. If it proves impossible to acquire adequate documented information within the timefr ame set out in the audit plan, the audit team leader should advise both the individual(s) managing the audit programme and the auditee. A decision should then be taken as to whether to continue with or to suspend the audit until such time that the documented information issue is addressed.
6.4.7 Collecting and verifying information ISO 19011:2018 introduces some important changes to the text contained in the 2011 edition. Information still needs to be gathered during the audit process which is relevant to the audit objectives, scope and criteria. This includes information relating to interfaces between functions, activities and processes. The information should be collected by sampling. Further guidance on sampling techniques is given in Annex A (A.6). The 2011 edition called for this information to be veried and stated only information that has been veried can form audit evidence. The 2018 edition however has softened this position and calls for verication as ‘far as is practical’. It advises that only information that can be ‘subject to some degree of verication’ should be accepted as audit evidence, and in instances where the degree of veriability is low auditors should use their professional judgement to determine the degree of reliance that can be placed up it.
www.quality.org | 33
Both the 2011 and 2018 editions call for audit evidence to be recorded. If the audit team becomes aware of any changed circumstance, risks or oppor tunities (previously ‘circumstances or risks’) whilst collecting objective evidence (previously ‘evidence’) they should take these circumstances into account. The 2011 gure 3 – ‘overview of the process of collecting and verifying data’ becomes gure 2 – ‘overview of a typical process of collecting and verifying information’, however the stages remain the same. Sampling is used to draw information from its source. This information is subject to verication after which it becomes audit evidence. The audit evidence is evaluated against the audit criteria which generate audit ndings in the event of any issues or concerns. The ndings are reviewed, and audit conclusions are drawn. The 2011 methods for collecting information; (interviews, observations, review of documentation) are carried across to ISO 19011:2018 (with documentation becoming documented information). Further guidance on techniques associated with obtaining information is given in Annex A (A.14, A.15 and A.17).
6.4.8 Generating audit ndings Generating audit ndings is perhaps one of the most crucial activities carried out by an auditor and will have a bearing on meeting audit objectives. Many of the previous activities of the auditor up to this point in the audit process will contribute directly to the effectiveness of the auditor’s evaluation. Both the 2011 and 2018 editions reiterate that audit evidence should be evaluated against the audit criteria in order to determine audit ndings. Note that, according to the denition, audit ndings can include both conformity or nonconformity with the audit criteria.
If the audit plan requires it, single audit ndings should include recognition of conformity and good practice (along with their supporting evidence), opportunities for improvement and any recommendations to the auditee on the implications of the ndings. Annex A (A.18) notes that, if agreed by the audit client, the auditor may guide the auditee on the response to the ndings. This is more common in second party audit situations during client audits on suppliers. Nonconformities and their supporting evidence should always be recorded. These ‘can be graded’ if desired, to which the 2018 edition adds ‘depending on the context of the organization and its risks’. The 2018 edition also states that this grading can be either quantitative (the nonconformity is a level 1, 2, 3 etc.) or qualitative (the nonconformity is major, minor etc.). There is no universally agreed method for grading of nonconformities although audit clients and auditing organizations often develop their own standard practices. Nonconformities should be reviewed with the auditee in order to conrm that the audit evidence is accurate and to ensure that the auditee understands the nonconformity. If there is disagreement about the audit evidence or the audit ndings, every effor t should be made to resolve this. If resolution is impossible, the unresolved issue should be recorded for repor ting to the audit programme management and, if appropriate, to the audit client.
34 | ISO 19011:2018 | Understanding the International Standard
Note 1 to the sub-clause points to additional guidance contained in Annex A (A.18) in respect of the identication and evaluation of audit ndings. This note is identical to the 2011 edition. A new note 2 has been added to the 2018 edition however. however. This is a reminder that when conformance or non-conformance to statutory or regulatory requirements occurs, this is sometimes referred to as compliance and non-compliance. These terms have often been used interchangeably interchangeably without taking cognisance of this distinction.
6.4.9 Determining audit conclusions 6.4.9.1 Preparation for closing meeting Formerly the rst paragraph of o f ISO 19011:2011’s sub-clause 6.4.8 ‘Preparing audit conclusions’. The text appearing in the 2011 edition and 2018 edition is identical. The new title implies that the team meeting to prepare audit conclusions is an activity that should just precede the closing meeting, as has long been standard practice. The purpose of this meeting is to review the audit ndings, (as well as any other information collected during the conducting of the audit), against the audit objectives. The audit team should then agree audit conclusions, taking into account the uncer tainty inherent in the audit process. Recommendations, Recommendations, e.g. a decision on awarding certication, cer tication, should also be prepared if a requirement for such is specied in the audit plan. t eam leader should make the nal decision on the audit conclusions to be Note that the audit team presented to the auditee as the individual i ndividual responsible to audit programme management.
Additionally, the audit team should discuss any required audit follow-up to be advised to the auditee and Additionally, recommended to audit programme management. 6.4.9.2 Content of audit conclusions Formerly the second paragraph of ISO 19011:2011’s 19011:2011’s sub-clause 6.4.8 ‘Preparing audit conclusions’. There are signicant differences between the text appearing in the 2011 edition and that which appears in the 2018 edition. ISO 19011:2018 notes that the audit team’s conclusions may contain content relating to the extent of conformity with the audit criteria cr iteria and the robustness of the management system, including how effective it is in meeting its it s intended outcomes (previously ‘stated objectives’) and (new for 2018) the audit team’s evaluation of the risk-based approach taken by the auditee’s auditee’s management system. The team’s conclusions may also contain content relating to the effectiveness of the implementation, maintenance and improvement of the management system, references references to the achievement of the audit’s www.quality.org | 35
objectives, coverage of the audit scope and/or the extent to which the audit criteria criter ia have been fullled. The conclusions may also include details of similar ndings made in i n different areas during the audit or that were audited at an earlier time in order to identify trends. The 2011 references to audit conclusions addressing the root causes of ndings and t he capability of the management review process to ensure the continuing suitability, adequacy adequacy,, effectiveness effectiveness and improvement of the system have been deleted. This recognises that determination of root cause is the responsibility of the auditee as a component of any corrective action taken.
6.4.10 Conducting closing meeting There have been some important changes to the text of the 2011 edition. The purpose of the closing meeting is unchanged in the 2018 edition. It is still convened in order to present the audit ndings and conclusions. In the 2011 edition the closing meeting is ‘facilitated’ by the audit team leader however in the 2018 edition the audit team leader now ‘chairs’ the meeting. Where ISO 19011:2011 called for the par ticipation of those responsible for the functions or processes which were audited ‘where ‘where appropriate’ the 2018 edition drops the t he ‘where appropriate’, inferring that the management of the auditee should be present at the closing meeting. ISO 19011:2018 suggests the closing meeting includes these individuals, as well as the audit client, other members members of the audit team and relevant interested par ties, as identied by by the audit client and/or auditee (previously just the ‘audit client and other parties’). The audit team leader should still advise the auditee of any situations encountered during duri ng the conducting of the audit which may affect the condence that can be placed in the audit’s conclusions. Also, par participants ticipants at the meeting are still st ill expected to agree on the timings for an action plan to address the audit’s ndings, if this is dened in the management system or has been agreed with the audit client. The 2011 edition identied that the degree of detail provided at the closing meeting should be dependent of how familiar the auditee is with the audit process. This is carried car ried forward into the 2018 edition which additionally identies that the degree of detail provided should also take into account the effectiveness of the management system in achieving a chieving the auditee’s objectives, including including consideration of its context, risks and opportunities. 36 | ISO 19011:2018 | Understanding the International Standard
Both the 2011 and 2018 editions recognise that for some audit situations the closing meeting will be a formal affair affair,, with the need to keep minutes and records of attendance. For other audit situations (typically internal audits) formal for mal minutes of the closing meeting may not be necessar y; in such instances it may be sufcient to simply communicate the audit’s ndings and conclusions. During the closing meeting the auditee should be advised that the audit evidence was based on a sample and (new for 2018) that this sample may not be fully representative of the overall effectiveness of the auditee’s processes. The auditee should also be made aware of how the audit will be reported, repor ted, how how the audit ndings should be addressed based on the agreed process, and the possible consequences to the auditee if they fail to address the ndings. The audit ndings and conclusions should still be presented in a manner which ensures that they are understood and acknowledged by the auditee’s management. The closing meeting should also reference any post audit activities that may be considered, including the implementation and (new for 2018) ‘review’ of corrective actions, the addressing of audit complaints and the operation of the appeals process. As for the 2011 edition, if the audit team and the auditee have divergent opinions on the audit ndings or conclusions, these should be discussed and ideally resolved. Note that it is not necessary for the audit team leader to wait until the closing meeting before communicating signicant audit ndings and concerns to the auditee (refer to 6.4.4). The closing meeting is essentially a presentation meeting and the audit team leader should try to pre-empt any contention at the meeting through this earlier communication. If resolution is not possible then this should be recorded for reporting to audit progr amme management and, if required, the audit client.
Oppor tunities for improvement may also be presented at the closing meeting, if specied in the audit Opportunities objectives. If opportunities oppor tunities for improvement are presented it should be emphasised that these are not binding on the auditee and will not affect the determination of the t he audit objectives. In this respect there is no difference between the 2018 edition and the 2011 edition.
www.quality.org | 37
6.5 Preparing and distributing audit report 6.5.1 Preparing the audit report This report is sometimes known as the “audit summary report” and may be different from a separate ndings report issued by audit team members. In any event, the audit repor t should cover the full extent of the audit process under taken by the audit team. As is the case for the 2011 edition, ISO 19011:2018 identies that it is the audit team leader’s responsibility to report the results of the audit in accordance with the audit programme. Audit repor ts should still provide a complete, accurate, concise and clear record of the audit. They should still include or refer to the audit objectives, the audit scope and in par ticular the identication of the organization (i.e. the auditee) and any functions or processes that were audited, including all the audit par ticipants. Additionally, they should record the dates and locations of the audit, the audit criteria which were applied and the audit ndings and their related evidence. A statement should also be included which identies the degree to which the audit criteria have been fullled. Other contents for the audit repor t, shared with the 2011 edition, are references to or the inclusion of the audit plan including the time schedule, a summary of the audit process and any obstacles encountered during the audit that may impact the audit conclusions, conrmation of the achievement of the audit objectives (within scope and in accordance with the audit programme), a summary of the audit conclusions and the main ndings that support them, and recognition of any good practice identied. As for ISO 19011:2011, any agreed follow up should also be included or referenced in the audit report as should a statement regarding the report’s condentiality and any implications for the audit programme or subsequent audits arising from conducting of the audit. Newly added for the 2018 edition is the recommended inclusion of wording to reect that audits are a sampling exercise and consequently there is a risk that the evidence examined may not be representative. The 2018 version also includes the addition of comment on any par t of the audit scope which may not have been not covered, possibly due to lack of access to evidence, resources or condentiality restrictions. Dropped for the 2018 edition is the suggested inclusion of a distribution list for the audit report (although the report still needs to be distributed as per 6.5.2) as well as the note to the sub-clause which identies that the audit report can be developed before the closing meeting.
6.5.2 Distributing audit report Audit reports should still be issued within an agreed period of time. If this is not possible the individual(s) managing the audit programme should advise the auditee as to the reason for the delay. As in ISO 19011:2011, the audit repor t should be dated and reviewed but whereas 2011 calls for it to be ‘approved in accordance with audit programme procedures’, 2018 calls for it to be ‘accepted, as appropriate, in accordance with the audit programme’. 38 | ISO 19011:2018 | Understanding the International Standard
ISO 19011:2018 advises that the audit report should be distributed to relevant interested parties (previously ‘recipients’) as dened in the audit programme or audit plan (previously ‘audit procedures or audit plan’).
6.6 Completing audit An audit is deemed to be complete when all the planned audit activities have been carried out (or as otherwise agreed with the auditee). This means that the work of the audit team concludes with the issue of the audit report unless there are particular circumstances agreed with the audit client. Any documented information (previously ‘documents’) connected with the audit should be retained or disposed of previously ‘destroyed’) by agreement between the participating par ties, and in accordance with the audit programme (previously ‘audit programme procedures’) and any applicable requirements. Neither the individual(s) managing the audit programme nor members of the audit team should disclose information (previously ‘the contents of documents and other information’) obtained during the audit to any third par ty unless explicit permission to do so is obtained from the audit client, or unless there is a requirement to disclose the information by law. ‘Information’ includes the audit report. Where the contents of an audit document are to be disclosed for whatever reason, the audit client should be informed as soon as is practically possible. ISO 19011:2018 treats lessons learned from audits differently to the 2011 edition. Under 2011, lessons learned from conducting the audit should be ‘entered into the continual improvement process of the auditee’s management system’. In 2018, there is just an acknowledgement that both the auditee and audit programme management should identify how the audit can contribute to risks and opportunities for both parties.
6.7 Conducting audit follow-up On completion of the audit, audit programme management takes over responsibility for the outcome of an audit (previously ‘the conclusion of the audit’) which may indicate a need for corrections, corrective action or opportunities for improvement Note the 2011 reference to preventive action has been dropped in the 2018 edition.
Correction, corrective actions and opportunities for improvement are normally decided and undertaken by the auditee within an agreed timeframe. The status of the actions should be advised by the auditee to the individual(s) managing the audit programme, as appropriate. The completion and effectiveness of these actions should be veried.This is known as audit follow-up and may involve another audit process being undertaken or the verication activity added to a subsequent audit. Note that the any decision on audit follow-up should be taken by programme management albeit taking into consideration any references to post-audit activities made at the closing meeting (refer to 6.4.10)
www.quality.org | 39
40 | ISO 19011:2018 | Understanding the International Standard
7. Competence and Evaluation Of Auditors 7.1 General The recognition continues that condence in the audit progr amme depends to a signicant degree on the competence of those individuals involved in the audit process. The 2011 edition called for this competence to be evaluated, (note the 2018 edition calls for regular evaluation) by means of examining an auditor’s behaviours and their knowledge and skills gained through audit experience, work experience, training and education. The sub-clause recognises that some of the knowledge and skills an auditor should possess are generic whilst others are discipline or sector specic. There is a reminder that not all auditors in an audit team need to have the same levels of knowledge or skills as long as collectively the necessary competence to achieve the audit’s objectives exists within the team as a whole. It is suggested that the evaluation of auditor competence is planned, implemented and documented in order to generate an outcome which is objective, consistent, fair and reliable. Four key steps are identied; determine the required competence necessary to complete the audit programme, establish the evaluation criteria based on the programme needs, select the evaluation method(s) and carry out the evaluation. The outcome of the evaluation process will provide a basis for audit team member selection and will also identify any competence gaps (competence required vs competence possessed) that need to be addressed. The outcome will also assist with the ongoing evaluation of auditor s. The importance of single auditors undertaking continual professional development to developed, maintain and improve their competence is emphasised as well as the need to conduct audits on an ongoing basis. To underline the importance of this competence issue, there is a reference to a process for evaluating auditors and audit team leaders in sub-clauses 7.3, 7.4 and 7.5. There is also recognition that auditor s and audit team leaders should be evaluated against the criteria set out in sub-clauses 7.1, 7.2.2 and 7.2.3. The competence required of the individual(s) managing the audit programme is referenced in sub-clause 5.4.2.
7.2 Determining auditor competence 7.2.1 General This sub-clause was previously titled ‘Determining auditor competence to full the needs of the audit programme’. ISO 19011:2011 suggested that in deciding the appropriate knowledge and skills required of an auditor in order to complete an audit, several considerations are necessary. These include the size, nature and complexity of the organization to be audited, the management system disciplines to be audited and the
www.quality.org | 41
objectives and extent of the audit programme. The 2018 edition replaces ‘knowledge and skills’ with ‘competence’, and adds the products, services and processes of auditees to the main considerations. Other considerations for determining auditor competence in the 2011 edition include; any other requirements such as those imposed by external bodies, (in ISO 19011:2018 this becomes ‘imposed by the audit client or other interested parties’), the role of the audit process in the management system of the auditee (this has been deleted from the 2018 edition), the complexity of the management system being audited (‘complexity and processes’ in the 2018 edition) and the uncer tainty in achieving audit objectives (no change). Newly added for 2018 is another consideration relating to the competence of an auditor as regards the risk-based approach found in the management system. This implies that the auditor may require a more thorough knowledge of the auditee’s business sector than was previously necessary.
7.2.2 Personal behaviour In line with the principles of auditing in Clause 4, the auditor needs to demonstrate certain attributes which are essentially unchanged from the 2011 version. Note - The 2018 edition replaces ‘qualities’ with ‘attributes’.
Also, the 2018 revision refers to ‘desired professional behaviours’ (previously ‘professional behaviours’). This implies that not all attributes may be demonstrated fully by all auditors. Otherwise, the list of behaviours remains the same. Auditors are expected to be ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, to act with for titude, open to improvement, culturally sensitive, collaborative.
7.2.3 Knowledge and skills 7.2.3.1 General As in the 2011 version, all auditors should possess the necessary knowledge and skills to enable them to achieve the intended results of the audits they are required to perform. This comprises of both generic competence and a level of (previously ‘some’) discipline and sector specic knowledge and skills. Audit team leaders should additionally possess the necessary knowledge and skills to enable them to provide leadership to an audit team. 7.2.3.2 Generic knowledge and skills of management system auditors Auditor should possess generic knowledge and skills in the areas of audit principles, processes and methods, management system standards and other references, the organization and its context and applicable statutory and regulatory requirements. These are similar to the four headline areas contained in the 2011 edition. The rst of these areas is audit principles, processes and methods. Both the 2018
42 | ISO 19011:2018 | Understanding the International Standard
and 2011 editions agree that knowledge and skills in this area should enable audits to be conducted in a consistent and systematic manner. The list of what an auditor should be able to do in respect of audit principles, processes and methods has been supplemented in the 2018 revision by the ability to comprehend the risks and oppor tunities involved in auditing as well as the principles of the risk-based approach. There is also the ability to conduct audits of a complete process where the interactions with other processes and functions of a process need to be considered. This is often referred to as ‘process auditing’. The following are retained in the 2018 edition; to plan and organize work effectively, to perform the audit within the agree time schedule and to prioritise on matters of signicance. Also retained are; to communicate effectively both orally and in writing, to collect information through inter views, listening, observing and reviewing documented information (previously ‘documents’), to understand and consider the views of technical experts, to verify the relevance and accuracy of information that has been collected and to conrm whether the information collected is sufcient and appropriate enough to support the audit ndings and audit conclusions. The nal three entries carried over from the 2011 edition are; to assess factors which may affect the reliability of the audit ndings and conclusions, to document audit activities and ndings and prepare reports, and to maintain the condentiality and security of audit information. The 2011 edition entries ‘use work documents to record audit activities’ and ‘apply audit principles and methods’ have been deleted from the ISO 19011:2018 list. The second of the four areas relate to management system standards and other references (previously ‘management system and reference documents’). Both the 2011 and 2018 editions highlight that knowledge and skills in this area enable the auditor to understand an audit’s scope and apply audit criteria. The necessary knowledge and skills should relate to management system standards or other normative or guidance or supporting documents which are used to establish audit criteria or audit methods (previously ‘management system standards or other documents used as audit criteria’). The auditor should also have the knowledge and skills to understand how the auditee has applied the management system standard(s) to their organization. They should understand the relationships and interactions between processes (previously ‘components’) of the management system, and the impor tance and respective priority of multiple standards or references (previously ‘the hierarchy of reference documents’). They should also understand the application of standards or reference documents (previously just ‘reference documents’) to different audit situations. The third of the four areas relate to the organization and its context (previously ‘organizational context’). Both the 2011 edition and the 2018 edition advise that knowledge and skills in this area enable the auditor to understand the auditee’s structure, purpose and management practices. The knowledge and skills that should be possessed include an under standing of the needs and expectations of relevant interested parties that impact the management system (this is new for 2018).
www.quality.org | 43
Note that these particular auditor skills should be enhanced by the preparation activities described in section 5.5.2. They should also cover organizational types, governance, size, structure, functions and relationships and general business and management concepts, processes and related terminology (including planning, budgeting and people management). Finally, the need for knowledge and skills relating to the cultural and social aspects of the auditee is carried across from ISO 19011:2011 to the 2018 edition.’.
The fourth of the four areas of generic knowledge and skills relates to the auditor’s ability to work within the auditee’s applicable legal and statutory framework including other requirements which may be imposed. Auditors should sufciently understand the statutor y and regulator y requirements (previously ‘laws and regulations’) and their governing agencies, basic legal terminology and contracting and liability law, in relation to the auditee’s activities, processes (new for 2018) products and ser vices (also new for 2018). A new note has been added for 2018 which advises that awareness of statutory and regulatory requirements does not imply legal expertise. As a result, a management system audit should not be treated as a legal compliance audit by any of the audit participants. Such an audit requires a different level of legal knowledge and exper tise than that expected of a management systems auditor. 7.2.3.3 Discipline and sector-specic competence of auditors One of the signicant changes to the text of the 2011 edition states that audit teams should collectively have the discipline and sector-specic competence to audit the particular types of management systems and sectors which appear in the audit programme. In the 2011 edition, it was single auditors that needed to have such knowledge and skills. This appears to slightly relax the sectorspecic level of competence of audit team members. The statement that not all team members need to have the same competence has been removed along with other competences detailed below. The 2018 edition advises that the discipline and sector specic competence auditors should possess includes; knowledge of management system requirements and principles and how they are applied, the fundamentals of the discipline(s) and sector(s) which relate to the management system standards as applied by the auditee, and competence in the application of discipline and sector specic methods, techniques, processes and practices which permit the team to assess conformity within the dened audit scope and to generate appropriate audit ndings and conclusions. Additionally, auditors should possess competence in principles, methods and techniques which are relevant to the discipline and sector, such that the auditor is able to evaluate risks and opportunities associated with the audit objectives (previously knowledge of risk management principles, methods and techniques relevant to the sector such that the auditor can evaluate and control risks associated with the programme). The 2011 edition recommendations that the discipline specic knowledge and skills should include ‘legal requirements relevant to the discipline or sector’ and ‘the requirements of interested par ties relevant to the sector’ have been removed, as has ‘sufcient knowledge of the particular sector, the
44 | ISO 19011:2018 | Understanding the International Standard
nature of operations or the workplace being audited to enable the auditor to carry out the audit and to reach conclusions’. Also removed for 2018 are discipline specic knowledge and skills relating to risk management, principles and methods relevant to the discipline and sector and the text suggesting the possession of knowledge and skills in respect of ‘the application of business and technical discipline specic methods, techniques, processes and practices’. 7.2.3.4 Generic competence of audit team leader The description of the generic competence applicable to audit team leaders primarily addresses the leadership skills needed to manage the audit team and achieve the audit objectives. The 2018 edition advises that audit team leaders should possess the necessary competence (previously ‘additional knowledge and skills’) to facilitate (previously ‘manage’) the efcient and effective conducting of the audit. This should include the competence required to plan and assign audit tasks to audit team members based on each team member’s specic competence (previously – ‘competence to balance the strengths and weaknesses of individual(s) team members’). The audit team leader’s competence should include an ability to discuss strategic matters with the auditee’s top management in order to determine whether these matters were considered during the evaluation of the organization’s risks and opportunities (this is new for 2018). The 2011 edition competence, ‘developing a harmonious working relationship amongst audit team members’ becomes ‘develop and maintain a collaborative working relationship’ in the 2018 edition. The audit team leader should still possess the necessary competence to manage the conducting of audits. This includes the competence to ensure that their available audit resources are effectively used, that any uncertainty in respect of achieving the audit objectives is managed, that the health, safety and security of their team is preserved, that audit team members are appropriately directed in their duties and that auditors in training receive the direction and guidance that they require. The 2011 edition text calling for competence to prevent and resolve conicts is expanded in the 2018 edition to include problems during the audit, including those within the audit team. As was the case in the 2011 edition, ISO 19011:2018 also calls for audit team leader competence in representing the audit team in communications with the individual(s) managing the audit programme, the audit client and the auditee, in leading the audit team to reach conclusions, and in preparing and completing the audit report. 7.2.3.5 Knowledge and skills for auditing multiple disciplines The 2011 edition identied that audit team leader s should understand the requirements of each management system standard and should recognise the limits of their knowledge and skills in each of the disciplines. In the 2018 edition, ‘knowledge and skills’ is replaced by ‘competence’. Competence is not simply possessing the necessary knowledge and skills, it is also the ability to apply these to achieve intended results.
www.quality.org | 45
ISO 19011:2011 highlighted that single auditor s in an audit team conducting multi-disciplined audits should have the necessary competence to audit at least one of the management systems. This text has been removed from the 2018 edition. The 2018 edition does however retain the 2011 text advising that single auditors on the audit team should understand how the different management systems interact and the synergies that should be present. There is a new note which points out that multiple discipline audits can take place both in joint audits and where an integrated management system involves two or more disciplines.
7.2.4 Achieving auditor competence As with the 2011 version, the 2018 edition recognises that auditor competence (previously knowledge and skills) can be acquired through a combination of factors. These include successfully completing (previously no reference to ‘successful’ completion) training programmes which cover generic knowledge and skills, and audit experience acquired working under the direction of an auditor competent (previously ‘experienced’) in the same discipline. Other identied methods for achieving competence include work experience in a relevant technical, managerial of professional position where the exercising of judgement, problem solving, decision making and effective communication with relevant interested parties were important, as well as education/training and experience in a specic management system discipline and sector that contributes to the development of overall competence (previously ‘experience in the sector that the auditor intends to audit in’). Note that these are the same factors which are applied in the auditor certication schemes operated by the CQI and IRCA.
7.2.5 Achieving audit team leader competence This clause has been retitled from the 2011 edition corresponding sub-clause, 7.2.5 – ‘Audit team leaders’. The 2011 edition recognised that audit team leaders could develop the necessar y knowledge and skills to lead an audit team as a result of additional audit experience, working under the direction and guidance of another audit team leader. The 2018 edition takes this further by replacing ‘necessary knowledge and skills’ with ‘necessary competence’. Note that the CQI and IRCA auditor certication schemes require evidence of this direction and guidance for cer tication as Lead Auditor.
7.3 Establishing auditor evaluation criteria INTERPRETATION: As in the 2011 version, both qualitative and quantitative auditor evaluatio n criteria should be developed. Examples of qualitative criteria include demonstrating the desired professional behaviours, possession 46 | ISO 19011:2018 | Understanding the International Standard
of knowledge or performance of audit skills, either in training or ‘on the job’. Examples of quantitative criteria include years of work experience, number of audits conducted and hours of audit training.
7.4. Selecting appropriate auditor evaluation method The same table (Table 2) of auditor evaluation methods (‘possible evaluation methods’ in 2011) as found in the 2011 version is used though there are subtle changes to the text appearing in the objectives and examples columns. Auditors should be evaluated using two or more methods. The Standard notes that not all the methods may be applicable and that the different methods differ in their reliability. As a result, a combination of methods is recommended. Auditor evaluation methods include, review of records, obtaining feedback, conducting interviews, observation, testing and the conducting of post-audit reviews.
7.5 Conducting auditor evaluation In ISO 19011:2018, ‘person’ has been replaced by ’auditor under evaluation’ otherwise the guidance is the same. Information collected about the auditor under evaluation (previously ‘person’) should be compared to the criteria established in clause 7.2.3 – knowledge and skills. If an auditor under evaluation does not meet the dened criteria they should undertake additional training, work experience and/or audit experience to address their competence gap. Once they have completed this their competence should be re-assessed.
7.6 Maintaining and improving auditor competence As was the case for ISO 19011:2011, both audit team leaders and auditor s are expected to maintain and continually improve their competence through regularly par ticipating in management systems audits and through continuous professional development. This can involve a variety of means including, but not limited to, additional work experience, self-study, training, attendance at meetings, conferences and seminars. The individual(s) managing the audit progr amme should establish suitable methods for continually evaluating the performance of audit team leaders and auditors. Continual professional development activities should take into account changes in the needs of the individual(s) and the organization responsible for conducting the audit. They should also take into account developments in the practice of auditing including the use of ICT and other new technologies (new for 2018), relevant standards (including guidance/supporting documents) and other requirements, and changes in the sector and/or discipline (new for 2018).
www.quality.org | 47
Now Deleted – 19011:2011 - Annex A (Informative) – Guidance And Illustrative Examples Of DisciplineSpecic Knowledge And Skills Of Auditors A.1 General A.2 Illustrative example of discipline-specic knowledge and skills of auditors in transportation safety management A.3 Illustrative example of discipline-specic knowledge and skills of auditors in environmental management A.4 Illustrative example of discipline-specic knowledge and skills of auditors in quality management A.5 Illustrative example of discipline-specic knowledge and skills of auditors in records management A.6 Illustrative example of discipline-specic knowledge and skills of auditors in resilience, security, preparedness and continuity management A.7 Illustrative example of discipline-specic knowledge and skills of auditors in information security management A.8 Illustrative example of discipline-specic knowledge and skills of auditors in occupational health and safety management A.8.1 General knowledge and skills A.8.2 Knowledge and skills related to the sector being audited. This annex has been deleted in its entirety from the 2018 edition of ISO 19011. Although there was a general acceptance that the contents of this section added value, the committee working on the new standard (ISO/PC302) also accepted that from a practical perspective there were signicant challenges associated with keeping annex A up to date on an ongoing basis. These relate to the ever-increasing number of published management system standards and the fact that there is no planned role for the ISO/PC302 committee after the publication of ISO 19011:2018;
48 | ISO 19011:2018 | Understanding the International Standard
Consequently, the decision was taken to remove the annex altogether in preference to allowing its contents to drift out of date over time. This means ISO 19011:2011 annex B now becomes ISO 19011:2018’s Annex A.
Annex A (Informative) – Additional Guidance For Auditors Planning And Conducting Audits The purpose of Annex A is to provide fur ther detailed guidance to auditors on how they might approach the planning and conduct of audits. As such, it expands the previous fur ther guidance (ISO 19011:2011 Annex B) to include the new concepts associated with organizational context, leadership and commitment, virtual audits, compliance and supply chain. References to this further guidance are made throughout the main text of ISO 19011:2018.
A.1 Applying audit methods ISO 19011:2018 reiterates the previous guidance that audits can be performed using a range of audit methods. The choice of methods will depend on the audit’s objectives, scope and criteria as well as it’s duration, location and the competence of the available auditors. It is usually advantageous to employ a range of methods. A table of audit methods is again provided which identies a range of possible methods based on whether the audit is to be conducted on site or remotely and whether human interaction is required between the auditor and auditee. The only amendments to the table which previously appeared in the 2011 edition are the insertion of ‘observing work performed with a remote guide’ in the remote and human interaction quadrant and the retitling of ‘legal requirements’ to ‘statutory and regulation requirements’ in the remote and non-human interaction quadrant. The audit methods contained within the table remain focussed on interviewing, observing and the review of documentation as a means of accessing audit information (refer to 6.4.5). Responsibility for the effective application of audit methods for any given audit remains either wit h the individual(s) managing the audit programme or the audit team leader who is also responsible for conducting audit activities. Additional considerations that could be considered when determining the feasibility for remote audit have been included in ISO 19011:2018. These include the level of risk to achieving the audit objectives that auditing remotely may present and the requirement to satisfy any applicable regulator y requirements in respect of on-site versus remote audit. The relationship between the auditor and auditee continues to be a contributory factor when considering a remote audit. There should be a balanced use of on-site and remote audit methods in the audit progr amme in order to ensure that the audit programme objectives can be achieved.
A.2 Process approach to auditing The use of a process approach to auditing is a new concept in the 2018 revision which is essentially driven by the ‘process approach’ requirement found in management system standards. www.quality.org | 49
The process approach dictates that organizations will achieve more consistent and predictable results, more efciently and effectively, when their management system activities are managed as inter-related processes that collectively function as a single, coherent system. Auditors can use this methodology by focussing on the auditee’s processes and their interactions when planning and conducting audits.
A.3 Professional judgement The Annex provides new guidance for the times when auditor s will be required to exercise professional judgement during the audit process, particularly when some ISO management system clauses do not readily lend themselves to normal audit evaluation methods e.g. issues of leadership and commitment. In these instances, auditors will be called on to use their professional judgement to determine whether the intent of the clause has been met. Auditors should take a holistic view of the management system performance when using their professional judgement rather than adopt a narrow focus on some particular requirements.
A.4 Performance results New guidance is given in this Annex that auditors should remain focussed on the intended results of the management system(s) as they are auditing. This reinforces the holistic view mentioned in A.3 that, while individual(s) processes and their outcomes are important, the overall performance of the management system is what matters most. This is effectively a warning to auditors not to be too fussy over conformity issues when there is little or no consequence to the management system effectiveness. For example, whilst the absence of a process or documentation can seriously compromise a high risk or complex organization, it may not matter at all in other, smaller organizations. When conducting combined or integrated system audits, auditors should consider the level of integration of different management systems and their intended results when evaluating performance.
A.5 Verifying information This fur ther guidance replaces the annex titled ‘Conducting document review’ with emphasis on the process of conducting a comprehensive review of the information contained in the management system. This guidance is linked with the ‘review of documented information’ in clause 6.3.1. Auditors should consider (as far as reasonably practical) whether information they receive is adequate to demonstrate that requirements are being met. This should include whether the information is complete (whereby all expected content is within the document), correct (whereby he content conforms to other reliable sources e.g. standards and regulations), consistent (whereby the document does not contr adict itself or other related documents) and is current (whereby the content is up to date). Information may be provided in a form or from a source other than that which the auditor was expecting. In such cases the auditor should closely evaluate the integrity of the information. The 2018 revision re-emphasises the need to pay particular attention to information security and protection of data both within and outside of the audit scope, especially for legal reasons. The previous note about document control effectiveness has been deleted.
50 | ISO 19011:2018 | Understanding the International Standard
www.quality.org | 51
A.6 Sampling A.6.1 General The use of reliable sampling techniques is an integral part of every auditor’s function when accessing audit information. The comprehensive guidance given in the 2011 version is replicated in ISO 19011:2018 based on both judgement based sampling and statistical sampling techniques. Audit sampling is required when it is not cost effective or practical to examine all the available information during an audit. The evaluation can be based on par ticular specimens selected to represent the characteristics of the whole batch with condence that the outcome will be reliable, depending on the integrity of the information. If the sampling method is not correct, incorrect conclusions may be drawn. The stages involved in sampling are; establish the objectives of sampling, determine the extent and composition of the population to be sampled, select a sampling method, determine a sample size, conduct the sampling and then nally, compile, evaluate, report and document the results.
A.6.2 Judgement-based sampling Judgement based sampling is the selection of representative samples based on the competence (previously ‘knowledge, skills and experience’) of the audit team. Note that audit team members may contribute to sampling decisions, not just single auditors or team leaders. Factors inuencing the decision whether to undertake judgement-based sampling include previous audit experience within the audit scope, the complexity of the requirements necessar y to achieve the audit objectives, and the complexity and interaction of the organization’s processes and management system components. Other factors affecting the decision include the degree of change in technology, human factors or the management system; previously identied signicant risks and (new for 2018) opportunities for improvement as well as the output from the monitoring of management systems. Auditors should bear in mind that with judgement-based sampling it is not possible to determine a scientically dened, statistically based degree of uncer tainty between the audit ndings and the audit conclusions. i.e. the level of the reliability of this method is based on intangible factors for which measurement is often impossible.
A.6.3 Statistical sampling Statistical sampling is the use of a mathematically determined ratio of probability of failure of the sample such that the evaluation outcome will be acceptably representative of the whole. The sampling plan should take the audit objectives into account along with knowledge of the tar get data. Such sampling can either be attribute based or variable based. Key elements to be considered are the context (new for 2018), size, nature and complexity of the organization, the number of competent auditors available, the frequency of audits during the year, the time allowed for each single audit, and any externally required condence level (sometimes known 52 | ISO 19011:2018 | Understanding the International Standard
as the acceptable risk factor). An additional factor in ISO 19011:2018 is the existence of unusual or exceptional circumstances surrounding the audit e.g. sudden loss of personnel or assets by the auditee. The sample size will depend on the level of sampling r isk that can be accepted, and it should be determined beforehand (i.e. the acceptable condence level). If the auditor is willing to accept that 5 out of 100 items sampled will be unrepresentative of the population, then the acceptable condence level is 95%. The acceptable condence level should be recorded, along with a description of the population that was sampled, the statistical basis and methods used, the number of samples evaluated, and the results obtained. Note that international and national standards are available for use in the application of statistical sampling procedures.
A.7 Auditing compliance within a management system New guidance has been introduced to help with the auditor’s evaluation of compliance with statutory and regulatory requirements in management systems. The audit team should consider whether the auditee has effective processes in place for identifying the statutory and regulator y requirements and other requirements it has committed itself to, for managing its activities, products and services in order to achieve compliance with these requirements, and to evaluate its compliance status. The audit team should also consider whether the auditee has an effective process for identifying changes in compliance requirements and for considering these as par t of its management of change. There should be competent people responsible for managing compliance processes and the auditee should be maintaining and providing documented information on its compliance status as required for regulators or other interested par ties. Auditors should also expect to see compliance requirements covered by the internal audit programme. Any instances of non-compliance should be addressed by the auditee, and compliance performance should be considered by the auditee’s management review.
A.8 Auditing context New guidance has been given for the way in which auditors should deal with the requirements in management systems in relation to the organization’s context. This affects a number of aspects in audit programming, planning and conduct. Issues to be addressed include determining the needs and expectations of relevant interested parties and the external and internal issues the organization faces. Auditors should ensure that suitable processes have been developed by organizations to determine its context such that the results of this exercise provide a reliable basis for the denition of scope and the development of the management system. Objective evidence should be sought to conrm that is the case. This can include identication of the processes or methods used, an evaluation of the suitability and competence of individuals contributing to the process, an evaluation of the results of the process, an
www.quality.org | 53
examination of the application of the results of the process and conrmation that periodic reviews of context are taking place, as appropriate. Auditors should have the necessar y sector specic knowledge and understanding of the management system tools that organizations may employ to determine context, in order that they can then make a judgement as to the effectiveness of the organization’s determination processes.
A.9 Auditing Leadership and Commitment Due to the increased requirements in management systems for top management responsibilities, new guidance is given in auditing these. These include demonstrating leadership and commitment by taking accountability for the effectiveness of their management system(s). There are now responsibilities which top management cannot delegate but must undertake themselves. This area is likely to involve a high degree of professional judgement by the auditor (refer to Annex A.3) Auditors should seek objective evidence to conrm the degree to which top management are fullling their obligations, particularly those regarding the effectiveness of their organization’s management system(s). This can be achieved by reviewing the results from relevant processes (e.g. creation and maintenance of policy and objectives, provision of necessar y resources, relevant communications from top management to their organization) and by interviewing staff in order to ascer tain the degree of top management engagement. Auditors should also interview members of the top management team to ensure that they understand their own management system(s) responsibilities, any discipline specic issues relevant to their management system(s), the context their organization operates in and the intended results of their management system(s). Auditors should note that it is not only top management that should be assessed under leadership requirements. Leadership and commitment should be audited at all levels of management, not just top management.
A.10 Auditing risks and opportunities With the introduction of the risk-based approach in many management systems, new guidance is given in auditing this issue. In this case, the determination and management of the auditee’s risks and opportunities needs to be audited. The principal objectives for doing so are to give assurance on the credibility of the risk and opportunity identication processes, to give assurance that the risks and opportunities have been correctly determined and to review how the organization has subsequently addressed the risks and opportunities it has determined. Auditors should take a holistic approach to audit an organization’s determination of risks and opportunities rather than view them in isolation as this activity has repercussions throughout the system.
54 | ISO 19011:2018 | Understanding the International Standard
Auditors should access information regarding the inputs the organization has used in order to determine its risk and opportunities, and the methods by which its risks and opportunities are evaluated (which can differ between disciplines and sectors). Inputs to the determination of risks and opportunities can include an analysis of external and internal issues, the strategic direction of the organization, relevant interested par ties and their relevant requirements and other potential sources of risk such as environmental aspects. The guidance states that the assessment of an organization’s treatment of risk and opportunities, including the level of risk it has chosen to accept and how it is controlling this, will require the application of professional judgement by the auditor (refer to Annex A.3).
A.11 Life cycle Certain discipline specic management system standards e.g. ISO 14000 (Environmental MS) require the application of a life cycle perspective to their associated products or services. This new guidance directs auditors to consider whether a life cycle perspective may be relevant during their audits. Adopting a life cycle perspective allows the or ganization to identify those areas where, in consideration of its scope, it can minimise its impact on the environment whilst adding value to the organization. The life cycle may include stages such as raw material acquisition, product or ser vice design, production, transpor tation and delivery, use, end of life treatment and nal disposal. In such cases an auditor should consider the extent of control and inuence that the organization has over the various stages of its product and/or ser vice life cycle. They should use their professional judgement to determine how the organization has applied a life cycle perspective in terms of its strategy, the life of their product(s) and/or service(s), the organization’s inuence on the supply chain, the length of the organization’s supply chain and the technological complexity of the organizations product(s) and/or service(s). When an integrated management system is involved, the auditor should be mindful of any overlapping life cycle considerations e .g. differing environmental, quality and regulator y requirements.
A.12 Audit of supply chain New guidance is provided in respect of audit programmes applicable to auditing supply chains. In such cases suitable criteria should be developed which depends on the nature of external providers. Auditors should note that the scope of supply chain audits can differ, e.g. from a complete audit of the external provider’s management system(s) to a review of a single process, single or multiple product(s) or one or more contracts or projects.
A.13 Preparing audit work documents The preparation of work documents for audits is a key activity and the guidance is replicated almost unchanged from Annex B.4 of the 2011 version.
www.quality.org | 55
Audit work documents are used by the audit team to assist with the planning, conducting and reporting of audits. Questions should be posed by the audit team linking the work documents to audit records, audit activities, its use by auditors and source data for its compilation. Audit work documents for combined audits should be developed such that duplication of audit activities is avoided. This can be achieved by amalgamating similar requirements from different criteria into a single audit work document and by coordinating the content of related checklists and questionnaires within the audit team.
A.14 Selecting sources of information Accessing information is a key audit activity and this guidance is replicated almost unchanged from the 2011 version e.g. ‘documented information’ replaces ‘documents’. Auditors should draw this information from a number of sources including interviews with employees and other individuals, observations of auditee activities, their work environment and surroundings, reviews of documented information, and the examination of data summaries, analyses and performance indicators. Other potential sources include information gained from auditee sampling plans and measurement processes, business reports, feedback and sur veys, the contents of databases and websites and information generated from simulations and modelling.
A.15 Visiting the auditee’s location Additional guidance is provided to reect the fact that an audit may involve virtual activities and that ‘documents’ can exist in physical (sometimes called ‘hard copy’) or electronic formats (sometimes called ‘soft copy’). When planning and conducting the audit, the audit team should take action to minimise their interference in the auditee’s work processes. At the off-site planning stage, permission should be sought to access those parts of the auditee’s location necessary in order to conduct the audit. Adequate information should be provided to audit team members regarding security arrangements, occupational health and safety matters, cultural norms and (new for 2018) ‘working hours for the visit’. Any requirements for personal protective equipment should also be claried with the auditee as should the availability of such equipment. In instance other than unannounced or ad hoc audits, auditees should be made aware of the audit scope and objectives. New for 2018 is a paragraph relating to the use of recording equipment for the collection of evidence, (the 2011 edition referenced ‘taking photographs or use of video’). If the use of such equipment is being considered, permission should be obtained from the auditee at the planning stage, including a discussion on any limitations for its use. Once on site the audit team should avoid any unnecessary disturbance of the auditee’s operational processes. The size of the audit team and the number of guides and obser vers may need to be adapted
56 | ISO 19011:2018 | Understanding the International Standard
to facilitate this. Also, any audit team/auditee communications should be carefully scheduled to avoid causing disruption. Audit team members should use the per sonal protective equipment they are provided with in the proper manner. The auditee’s emergency procedures should also be communicated e.g. at a health and safety induction. Should an incident occur on site, the audit team leader and auditee should review the situation and agree whether the audit should be interrupted, rescheduled or continued. During the audit, audit team members should seek permission in advance before taking copies of documentation and should be mindful of any security or condentiality ar rangements that exist. Additionally, personal information should not be obtained unless required by the audit objectives or audit criteria. New guidance is given in relation to virtual audit which is audit activity that is undertaken without the auditor being physically present at the auditee’s location e.g. both parties are remote from each other and are communicating through audio and/or visual means. In this situation, the audit team should ensure it is using agreed remote access protocols. If screen shots are to be taken, permission should be sought in advance to do so and any condentiality and security arrangements should also be respected. If an unforeseen incident, which impacts the audit process, occurs during the remote access, the audit team leader should review this with the auditee and agreement should be reached as to whether to interrupt, reschedule or continue the audit. Graphic information such as oor plans or diagrams of the remote location should be used to provide context for the auditor, and both the auditor’s and auditee’s privacy should be respected during any audit breaks. Consideration should be given as to how information and audit evidence (irrespective of the media it is held on) is disposed of once the need for its use by the audit team has expired e .g. downloaded les, messages etc.
A.16 Auditing virtual activities and locations Further new detailed guidance is provided for virtual audits conducted in instances where an organization performs work or provides a service using an on-line environment which allows individuals to execute processes in any location e.g. teleworking from home. The same standard audit process used for face-to-face audits should be followed when using technology to verify objective evidence. The audit team should ensure their technology and its operation, e.g. software, is appropriate for conducting the audit. This includes ensuring that agreed remote access protocols are used, ensuring that checks are completed ahead of the audit in order to identify and address any technical issues and ensuring a contingency plan is in place and has been communicated, should the technology fail to perform as planned. Auditors should have the technical skills necessary to utilise the relevant technology for audit purposes and they should also have experience in conducting vir tual meetings. The risks associated with virtual audit should also be considered. Floor plans / diagrams should be used for references or for the mapping of electronic information. www.quality.org | 57
Background noise and interruptions should be minimised, permission sought before taking screenshots or recordings and privacy should be maintained during audit breaks e.g. pausing video streams and muting sound.
A.17 Conducting interviews Interviewing people is a key auditor competence and the guidance on good practice for auditors is replicated almost unchanged from the 2011 version. Interviews are an increasingly important means of accessing information especially when management systems contain requirements such as to ‘determine’ whether various undocumented activities or processes are in place. In such instances interviewing several auditees, for corroboration purposes, provides the auditor with a means to verify whether that determination has taken place. Interviews should be held with individual(s) from appropriate levels of the organization and from those functions which are performing activities that fall within the audit scope. They should be conducted during working hours and, ideally, at the normal workplace of the auditee. Auditors should attempt to put individuals being inter viewed at ease. They should explain the reason why they are conducting the interview and should conrm that notes are being taken, not to identify issues, but simply to ensure there is a record of what is being discussed. The standard recognises auditees may be nervous and suggests a good starting point may be to ask them to explain the work they do. Auditors should include a mix of open, probing and closed questions to help establish facts and should avoid the use of leading questions where possible. Non-verbal communication, e.g. tone of voice, body language, etc., is also impor tant, and auditors should be aware of this. They should also recognise that in virtual audit situations, the benet of nonverbal communication is lost and hence additional emphasis should be placed on adopting good questioning techniques.
A.18 Audit ndings A.18.1 Determining audit ndings Further guidance in the 2018 edition adds several factors to the list in the 2011 version that auditors should consider when making a nding; the accuracy, sufciency and appropriateness of objective evidence to support the audit ndings, and the extent to which planned audit activities are realised and planned results achieved. Retained in the list are any follow-up actions from previous audits and their conclusions, the requirements of the audit client, any ndings exceeding normal practice or oppor tunities for improvement, the sample size they have taken and the categorisation (if any) of the ndings.
58 | ISO 19011:2018 | Understanding the International Standard
A.18.2 Recording conformities New guidance for recording conformity is the recording of evidence to demonstrate the effectiveness of the management system, not just conformity. 19011:2011 required ‘identication of ’ the audit criteria conformity is demonstrated against; ISO 19011:2018 replaces this with ‘a description of or reference to’ the audit criteria which conformity is demonstrated against.
A.18.3 Recording nonconformities When recording a nonconformity, an auditor should clearly specify the audit criteria they were conducting their audit against. They should record details of anything they have seen or heard which indicates that these criteria are not being met i.e . the objective evidence. They should identify their nding as a nonconformity and should consider any related ndings that substantiate the nonconformity.
A.18.4 Dealing with ndings related to multiple criteria There may be occasions when a single nding identies that several audit criteria are not being met. If this occurs during a combined audit, then the auditor needs to consider the possible impact of the nding for all the management systems under review, not just for the system the nding was originally identied in. In the case of multiple criteria, the auditor can either raise a separate nding for each nonconforming situation or a single nding which references all nonconforming situations, taking into account the audit client preferences. If the audit client agrees, the auditor may also provide guidance to the audit client in respect of how they should respond to the auditor’s ndings. This is more common in second party audits.
www.quality.org | 59
Bibliography ISO 19011:2011 referenced 23 documents and/or websites in its bibliography, including many of ISO’s principal management system standards. For ISO 19011:2018, this number has been signicantly reduced. There are now only 4 entries in the bibliography; • ISO 9000:2015 – Quality management systems – Fundamentals and vocabulary • ISO/IEC 17021-1:2015 – Conformity assessment – Requirements for bodies providing audit and certication of management systems – Part 1: Requirements • ISO Guide 73:2009, Risk management – Vocabulary • ISO 9001 Auditing Practices Group papers available at: www.iso.org/tc176/ISO9001AuditingPracticesGroup
60 | ISO 19011:2018 | Understanding the International Standard
7. Implications General ISO 19011 is a guidance standard and, as a result, organizations are not required to make any changes to their existing audit arrangements as a result of the publication of ISO 19011:2018. However, the CQI and IRCA recommends that organizations review their existing approach to audit in light of ISO 19011:2018’s publication. The purpose of revising ISO 19011 was to set a higher standard for the effectiveness of both internal (and where applicable) external audit. The voluntary adoption of the revised guidance contained within ISO 19011:2018 should result in the implementation of more efcient and effective audit processes and the development of more competent audit personnel.
Implications For Specic Audit Roles Individuals Managing the Audit Programme There have been signicant changes to the role of the Individual Managing the Audit programme. These are detailed in sub-clause (see 5.4.1). Also, the competence requirements of this individual have been substantively amended (see 5.4.2). The individual managing the audit progr amme must now consider the context of the auditee’s organization when designing audit programmes. This requires an understanding of their internal and external issues and the relevant requirements of their stakeholder. They must ensure that the audit programme is focussed on areas of high risk or where there are recognised performance issues. The information to be included in the audit programme has increased (see 5.1) and greater emphasis has been placed on the ongoing monitoring and maintenance of the programme and on the achievement of the audit programme objectives. The individual managing the audit programme is expected to use information arising from the monitoring of the audit programme to drive the programme’s improvement. This is to take place on an ongoing basis. The individual managing the audit programme is also required to revise the programme is there are changes to audit objectives, scopes or criteria. They are also expected to notify the audit client in respect of the risks, opportunities and resource requirements identied during the development of the audit programme. In order to undertake these duties, the individual managing the audit programme requires the necessary competence to deal with any risks and opportunities or internal or external issues to the delivery of the audit programme. Knowledge of the auditee’s context and business activities plus statutory and
www.quality.org | 61
regulatory requirements relating to the auditee’s business is considered essential as is an awareness of risk, project and process management. It is the individual managing the audit programme who selects the audit methods to be used based on their evaluation of the method’s effectiveness and efciency. Once they have completed the identication of methods, they should communicate these to the audit client. The individual managing the audit progr amme still appoints the audit team leader, audit team members and technical experts, ensuring their collective competence to conduct the assessment. In doing so there is an expectation that they will consult on team composition with the audit team leader. The scope of communication for the individual managing the audit programme has been extended. They are now expected to interact not just with the auditee but other relevant interested parties, as required. Once an audit has been completed the individual managing the audit programme must ensure that the objectives for each single audit have been met. They should review the performance of entire audit team and any technical experts and should distributed the audit report to relevant interested parties.
Auditors It is now accepted that auditors no longer have to be independent of the activity being audited in order to be able to demonstrate impartiality and objectivity. This is because the demonstration of these characteristics has more to do with the mind-set of the auditor than it has with their assigned role or duties. This notwithstanding, there is an expectation that auditors will be independent ‘where practical’ so if it is possible to structure an audit team in such a way that no auditor audits their own work then the individual managing the audit team should do so. Auditors can now expect to receive additional information prior to the audit including information relating to environmental arr angements as well as any requirements for travel to or access of remote sites. They should also expect to be advised as to their decision-making authority by the audit team leader. When conducting desktop reviews auditors will now need to additionally consider the auditee’s context, risks and oppor tunities and the audit criteria that are to be applied. They will then be required to prepare documented information for audit (previously work documents) e.g. checklists which could be virtual (e.g. online). One of the most signicant changes brought into ISO 19011:2018 is the guidance that audit evidence is no longer ‘information that can be veried’ but information that can be ‘subject to a degree of verication’. Increasingly auditors need to recognise that there will be instances, especially when assessing elements of Annex SL based standards, where evidence suggests compliance where professional judgement will need to be used in order to determine the degree of reliance the auditor should place on audit evidence. Not everything in the world of audit is black or white, there are shades of grey and auditors must be comfortable dealing with such uncertainty. Auditors should expect greater monitoring of their performance during audits and more regular evaluations of their competence between audits. The inclusion of new topics in annex A indicates an
62 | ISO 19011:2018 | Understanding the International Standard
expectation that auditors should be competent in these topics as they are applicable to their own scope of audit. It is now recognised that a competent auditor requires more than the technical knowledge and skill required to conduct an audit. They require a greater understanding of the auditee’s business sector, processes, products and ser vices than previously. Auditors should understand risks and opportunities and risk-based auditing, and should be competent in audit principles, methods and techniques relevant to the disciplines and sectors they assess. All auditors are expected to undertake regular continuing professional development (CPD) and it is no longer sufcient for an auditor to attend an auditor training course – in order to demonstrate competence, they are expected to satisfactorily complete it.
Audit Team Leaders (Lead Auditors) In addition to those implications for auditors set out above, there are additional implications for those responsible for leading audit teams. While still responsible for agreeing audit arrangements with the auditee, the audit team leader must now act to resolve any issues in respect of the composition of the team (including any potential conicts of interest) with the auditee and/or audit client prior to the audit. New considerations have been introduced in respect of audit planning and the audit team leader should ensure that there is a focus on the entire audit planning activity as opposed to just the end product, ‘the audit plan’. The audit team leader now assigns responsibilities to team members for decision making following consultation with the team. They direct the use of technical exper ts and approve (where necessar y with the auditee and the auditee client) any guides, observers and/or interpreters. In the 2011 edition of 19011 the audit team leader facilitated the closing meeting, now they are expected to Chair the closing meeting. Audit team leaders must possess the necessary competence to facility the efcient and effective conducting of the audit (previously knowledge and skills to manage) the audit and the competence to discuss strategic matters with the auditee’s top management. They must also display the necessary leadership to achieve a collaborative working relationship within the team and address any issues within the team. As is the case for single auditors, audit team leaders are expected to undertake regular continuing professional development including improving their understanding and application of audit practice and ICT.
www.quality.org | 63
Audit Client The audit client is the individual or organization that is responsible for commissioning the audit. The audit client may or may not be the auditee. ISO 19011:2018 transfers responsibility for establishing the audit programme objectives to the audit client. There are now specic considerations the audit client must take into account when they are formulating these objectives. It is essential that the audit programme objectives align with the strategic objectives of the auditee’s organization. Once agreed, the audit programme objectives should be documented. The audit client is also responsible for ensuring that the audit programme is being effectively implemented, previously a responsibility of the auditee’s top management. They are required to approve any changes to the programme (also previously an auditee’s role) and should be present at the closing meeting, as appropriate, with any other interested parties.
Auditees Auditees should expect to see a more business focussed auditor, aware of their organization’s risks and opportunities, internal and external issues and the relevant requirements of their stakeholders. They should expect an auditor with up-to-date skills and knowledge whose performance is being regular ly assessed in order to ensure they remain competent to audit. The auditor should be skilled in a range of audit methods, tools and techniques and not focussed solely on reviewing documents or sticking religiously to predened checklists. They should witness auditors adopting a process approach to audit, understanding the operation of the auditee’s business holistically as opposed to assessing each individual element in isolation. As auditors are increasingly being asked to demonstrate professional judgement, the potential for disagreement between the auditee and the auditor in respect of audit ndings is increased. As is the case at present, auditees should be prepared to challenge the auditor where they feel that the auditor’s decision is incorrect.
64 | ISO 19011:2018 | Understanding the International Standard
8. Conclusion ISO 19011:2018 is not without its aws. In common with most ISO standards, it’s written in language which make it easy to translate but sometimes difcult to understand. The 2011 edition Annex A, which provided examples of discipline and sector specic audit topics, has been deleted despite its popularity, as no one could be identied to maintain it. The new Annex A which provides advice on specic audit topics is underdeveloped and could have been of so much more practical use for those starting out in the profession. And of course, the standard remains guidance: there is no obligation for anyone to adopt its contents. Nonetheless, ISO 19011:2018 underpins all CQI and IRCA auditor training courses and auditor certication schemes for good reason – it provides a robust, tried-and tested framework for the effective audit of any management system.
www.quality.org | 65
66 | ISO 19011:2018 | Understanding the International Standard
9. Clause Comparison ISO 19011:2018 and ISO 19011:2011 The following table highlights the respective structures of the 2018 and 2011 editions of ISO 19011. As ISO 19011 is not an annex SL based management system standard, the ISO/PC302 committee was not required to adopt the high-level structure prescribed within annex SL appendix 2. Whilst the 2018 and 2011 editions’ structures are broadly similar, there are some important differences as detailed in this table. These centre around the retitling and reordering of a number of the 2011 clauses in the 2018 edition, the introduction of a new sub-clause 6.4.5 - ‘Audit information availability and access’, the deletion of the 2011 edition’s annex A and the expansion of the 2011 edition’s annex B which now becomes the 2018 edition’s annex A.
ISO 19011:2018
ISO 19011:2011
Foreword
Foreword
Contents
Contents
Introduction
Introduction
1
Scope
1
Scope
2
Normative references
2
Normative references
3
Terms and Denitions
3
Terms and Denitions
4
Principles of auditing
4
Principles of auditing
5
Managing an audit programme
5
Managing an audit programme
5.1
General
5.1
General
5.2
Establishing audit programme objectives
5.2
Establishing the audit programme objectives
5.3
Determining and evaluating audit programme risks and opportunities
5.4
Establishing audit programme
5.3
Establishing the audit programme
5.4.1
Roles and responsibilities of individual(s) managing the audit programme
5.3.1
Roles and responsibilities of the person managing the audit programme
(see 5.3.4 below)
www.quality.org | 67
ISO 19011:2018
ISO 19011:2011
5.4.2
Competence of individual(s) managing the audit programme
5.3.2
Competence of the person managing the audit programme
5.4.3
Establishing extent of audit programme
5.3.3
Establishing the extent of the audit programme
5.4.4
Determining audit programme resources
(see 5.3.6 below) 5.3.4
Identifying and evaluating audit programme risks
5.3.5
Establishing procedures for the audit programme
5.3.6
Identifying audit programme resources
5.5
Implementing audit programme
5.4
Implementing the audit programme
5.5.1
General
5.4.1
General
5.5.2
Dening the objectives, scope and criteria for a single audit
5.4.2
Dening the objectives, scope and criteria for a single audit
5.5.3
Selecting and determining audit methods 5.4.3
Selecting the audit methods
5.5.4
Selecting audit team members
5.4.4
Selecting the audit team members
5.5.5
Assigning responsibility for a single audit to the audit team leader
5.4.5
5.5.6
Managing audit programme results
5.4.6
Managing the audit programme outcome
5.5.7
Managing and maintaining audit programme records
5.4.7
Managing and maintaining audit programme records
5.6
Monitoring audit programme
5.5
Monitoring the audit programme
5.7
Reviewing and improving audit programme
5.6
Reviewing and improving the audit programme
6
Conducting an audit
6
Performing an audit
6.1
General
6.1
General
6.2
Initiating audit
6.2
Initiating the audit
6.2.1
General
6.2.1
General
6.2.2
Establishing contact with auditee
6.2.2
Establishing initial contact with the auditee
6.2.3
Determining feasibility of audit
6.2.3
Determining the feasibility of the audit
68 | ISO 19011:2018 | Understanding the International Standard
Assigning responsibility for a single audit to the audit team leader
ISO 19011:2018
ISO 19011:2011
6.3
Preparing audit activities
6.3
Preparing audit activities
6.3.1
Performing review of documented information
6.3.1
Performing document review in preparation for the audit
6.3.2
Audit planning
6.3.2
Preparing the audit plan
6.3.3
Assigning work to audit team
6.3.3
Assigning work to the audit team
6.3.4
Preparing documented information for audit
6.3.4
Preparing work documents
6.4
Conducting audit activities
6.4
Conducting the audit activities
6.4.1
General
6.4.1
General
6.4.2
Assigning roles and responsibilities of guides and observers
6.4.3
Conducting opening meeting
6.4.4
Communicating during audit
6.4.5
Audit information availability and access
6.4.6
Reviewing documented information while conducting audit
(see 6.4.5 below) 6.4.2
Conducting the opening meeting (see 6.4.4 below)
6.4.3
Performing document review while conducting audit
6.4.4
Communicating during the audit
6.4.5
Assigning roles and responsibilities of guides and observers
6.4.7
Collecting and verifying information
6.4.6
Collecting and verifying information
6.4.8
Generating audit ndings
6.4.7
Generating audit ndings
6.4.9
Determining audit conclusions
6.4.8
Preparing audit conclusions
6.4.10
Conducting closing meetings
6.4.9
Conducting the closing meeting
6.5
Preparing and distributing audit repor t
6.5
6.5.1
Preparing audit report
6.5.1
Preparing the audit report
6.5.2
Distributing audit report
6.5.2
Distributing the audit report
6.6
Completing audit
6.6
Completing the audit
6.7
Conducting audit follow up
6.7
Conducting audit follow-up
7
Competence and evaluation of auditors
7
Competence and evaluation of auditors
Preparing and distributing the audit report
www.quality.org | 69
ISO 19011:2018
ISO 19011:2011
7.1
General
7.1
General
7.2
Determining auditor competence
7.2
Determining auditor competence to full the needs of the audit programme
7.2.1
General
7.2.1
General
7.2.2
Personal behaviour
7.2.2
Personal behaviour
7.2.3
Knowledge and skills
7.2.3
Knowledge and skills
7.2.3.1
General
7.2.3.1
General
7.2.3.2
Generic knowledge and skills of management system auditors
7.2.3.2
Generic knowledge and skills of management system auditors
7.2.3.3
Discipline and sector-specic competence of auditors
7.2.3.3
Discipline and sector specic knowledge and skills of management system auditors
7.2.3.4
Generic competence of audit team leader
7.2.3.4
Generic knowledge and skills of an audit team leader
7.2.3.5
Knowledge and skills for auditing multiple disciplines
7.2.3.5
Knowledge and skills for auditing management systems addressing multiple disciplines
7.2.4
Achieving auditor competence
7.2.4
Achieving auditor competence
7.2.5
Achieving audit team leader competence 7.2.5
Audit team leaders
7.3
Establishing auditor evaluation criteria
7.3
Establishing the auditor evaluation criteria
7.4
Selecting appropriate auditor evaluation criteria
7.4
Selecting the appropriate auditor evaluation method
7.5
Conducting auditor evaluation
7.5
Conducting auditor evaluation
7.6
Maintaining and improving auditor competence
7.6
Maintaining and improving auditor competence
Annex A
Guidance and illustrative examples of discipline-specic knowledge and skills of auditors
Annex A
Additional guidance for auditors planning Annex and conducting audits B
Additional guidance for auditors for planning and conducting audits
A.1
Applying audit methods
Applying audit methods
A.2
Process approach to auditing
70 | ISO 19011:2018 | Understanding the International Standard
B.1
ISO 19011:2018
ISO 19011:2011
A.3
Professional judgement
A.4
Performance results
A.5
Verifying information
B.2
Conducting document review
A.6
Sampling
B.3
Sampling
A.6.1
General
B.3.1
General
A.6.2
Judgement-based sampling
B.3.2
Judgement-based sampling
A.6.3
Statistical sampling
B.3.3
Statistical sampling
A.7
Auditing compliance within a management system (new for 2018)
A.8
Auditing Context
A.9
Auditing Leadership and Commitment
A.10
Auditing risks and opportunities
A.11
Life cycle
A.12
Audit of supply chain
A.13
Preparing audit work documents
B.4
Preparing work documents
A.14
Selecting sources of information
B.5
Selecting sources of information
A.15
Visiting the auditee’s location
B.6
Guidance on visiting the auditees location
A.16
Auditing virtual activities and locations
A.17
Conducting interviews
B.7
Conducting interviews
A.18
Audit ndings
B.8
Audit ndings
A.18.1
Determining audit ndings
B.8.1
Determining audit ndings
A.18.2
Recording conformities
B.8.2
Recording conformities
A.18.3
Recording nonconformities
B.8.3
Recording nonconformities
A.18.4
Dealing with ndings relating to multiple criteria
B.8.4
Dealing with ndings relating to multiple criteria
Bibliography
Bibliography
www.quality.org | 71
72 | ISO 19011:2018 | Understanding the International Standard
10. Acknowledgements The CQI and IRCA would like to thank the authors, reviewers and contributors for their work on this report. Richard Green: (principal author) Ian Dunlop: BSc FCQI CQP, CQI and IRCA Technical Assessor (author) Denise Robitaille: Chair, ISO PC 302 Alexander Woods: Policy Manager, CQI
The CQI and IRCA would also like to thank Ideagen PLC for their sponsorship and support of this report.
The Chartered Quality Institute (CQI) and The International Register of certicated Auditors (IRCA) The CQI is the chartered body for quality management professionals. It exists to benet the public by advancing education in, knowledge of and the practice of quality in industry, commerce, the public sector and the voluntar y sectors. IRCA is a division of the CQI and is the leading professional body of management system auditors www.quality.org
Ideagen Plc Ideagen provides software and exper tise to help the world’s leading brands to improve efciency, prevent undesirable events and ensure compliance by managing quality, safety, audit and every aspect of operational risk. With over 4,000 customers in more than 90 countries, Ideagen’s products and services are at the forefront of quality, safety, risk, operational performance and compliance management for some of the world’s best-known organizations including PwC, Heineken, NHS, Emirates and Harvard University. Ideagen is dedicated to promoting enterpr ise-wide quality management through compliance with standard such as ISO 9001 and many more. www.ideagen.com