ISO 19011 is an international standard that puts forward the guidelines for auditing management systems. The standard is applicable to a wide range of users, including, among others, organizations that need to conduct internal and/or external management system (MS) audits and manage audit programmes. The standard covers the principles of auditing and provides a broader harmonized approach to management system auditing and comprehensive guidance on how to conduct a management system audit. Notwithstanding that this guidance is intended to be flexible, it should be adapted as appropriate to the scope, complexity and scale of the audit programme and/or the organization to be audited. While ISO/IEC 17021-1 sets forth the requirements for bodies providing audit and certification of management systems, it can also provide additional guidance on how to conduct management system audits. ISO 19011 was first published in 2002 and it was used as a guideline for quality (ISO 9001) and/or environmental (ISO 14001) management systems auditing. The number of management system standards that have a common structure and core definitions has increased, along with the need to consider a broader approach to the audit of management systems. To reflect both the structure and the content of new management system standards, ISO 19011 has been updated.
ISO 19011:2018 – Key Changes
The ISO 19011:2018 standard has undergone a number of changes. The changes in the new version of the standard cover, among others, updates in terminology, the addition of the seventh principle of auditing, minor alterations in clauses 5 to 7, newly added clauses and sub-clauses, as well as the addition of a number of sections in Annex B (now Annex A) and deletion of the formerly known Annex A.
Changes in terminology:
The Terms and definitions section within ISO 19011:2018 has been revised. This revision encompasses the inclusion of the most important terms and definitions of ISO 9000:2015 such as: audit, audit team, management system, and risk. The terms ‘documents and records’ have been replaced with ‘documented information’ and ‘suppliers’ has been replaced with ’external providers’, among others. In addition, new terms and definitions have been included in the ISO 19011:2018 standard, a few of which have been listed in the table below:
Changes in the principles of auditing:
The 2018 version of the standard has placed an enhanced focus on the utmost newly added principle – the risk-based approach – which considers risks and opportunities during the planning, conducting and reporting phases of an audit. In order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives, the risk needs to be considered from the design of the audit programme to the issue of the audit report. The application of the risk-based approach can serve as a tool for risk prevention, and optimization of the efficiency and effectiveness of the audit process and its outcome(s).
This principle has intertwined with the structure of the rest of the document, specifically Section 5 – Managing an audit programme, which suggests that when preparing an audit programme, moderate consideration should be given to the identified risks and opportunities, as well as the actions taken to address them. According to the new version of the standard, the process of managing an audit programme is as depicted in Figure 1.
(Source: ISO 19011, Figure 1)
Changes in the clauses of ISO 19011:2018
The clauses (5, 6, & 7) within ISO 19011:2018 have undergone a few adjustments, even though on a minor scale. The standard has experienced other updates and added information in Section 7, by emphasizing the auditors’ competencies in order to ensure the overall competence of the audit team with regards to each individual audit. Additionally, from now on audit team leaders are expected to possess the competencies to discuss strategic issues with the top management.
Furthermore, the new version of the standard has introduced the following clause: • Clause 6.4.5 Audit information availability and access;
Changes in the Annexes of ISO 19011:2018:
There has been a momentous annex expansion since additional sections have been embodied in Annex A, which have placed an importance on performance results, process approach, professional judgment, the organization’s impact over the stages of its product and/or service lifecycle, and auditing risks and opportunities. Other additions in Annex A that might not be more overriding than others, but are as equally important, include: supply-chain auditing, auditing leadership and commitment, auditing compliance within a management system and the use of ICT in the audit process. Following the changes in the new version, the formerly known Annex A ‘Guidance and illustrative examples of discipline-specific knowledge and skills of auditors’ has been revoked from the standard. This annex contained sector-specific examples of the knowledge and skills required to conduct audits in particular types of industries. The formerly known Annex B has now become Annex A.
The main changes in the ISO 19011:2018 standard include:
• Updated terms and definitions so as to be in line with the definitions used in other standards;
• The addition of the 7th principle of auditing – risk-based approach;
• Additional information on managing an audit programme, including audit planning, audit programme risk, conducting an audit, elaboration of the generic competence requirements for auditors;
• Expansion of Annex B (now Annex A), including the additional sections on process approach, lifecycle, professional judgment, audit risks and opportunities, audit leadership and commitment use of information and communication technologies during auditing virtual activities; and abolition of the former Annex A.
“The focal point of the new version of the standard is the consideration of evolving technologies and the increased focus on risk.”
The latest version of the standard aims to consolidate the existing guidelines in order to help organizations manage a successful audit programme, ensure continuous improvement and enable effective auditing across multiple systems.