ISO 19011:2018 is the 3rd edition of ISO 19011 and is a technical revision of the 2nd edition (2011). Here is an outline of the 7 key differences:
- Addition of the risk-based approach to the principles of auditing;
- Expansion of the guidance on managing an audit programme, including audit programme risks;
- Expansion of the guidance on conducting an audit, particularly the section on audit planning;
- Expansion of the generic competence requirements for auditors;
- Adjustment of terminology to reflect the process and not the object (“thing”);
- Removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would not be practical to include competence for all disciplines);
- Expansion of Annex A to provide guidance on auditing (new) concepts such as organisational context, leadership and commitment, virtual audits, compliance and supply chain.
SQMC Director, Karen MacKenzie, has assessed the differences and summarises them below:
1) Section 4 of ISO 19011:2018 Principles of Auditing
The first 6 principles are the same in both sets of standards; there is a little clarity of the wording in the 2018 version and the addition of an extra principle, which is :-
Risk-based approach; an approach that considers risks and opportunities
“The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives”.
There is the obvious link here with ISO 9001:2015 Clause 9.2.2 (which references ISO 19011) and sets into its requirements the phrase “shall take into consideration the importance of the processes concerned” etc.
The auditor will be required to study the risk and opportunity elements of processes and plan audits of suitable frequency, breadth and depth to determine if there is conformance with agreed audit objectives, providing sufficient, valid, reliable, verified data to allow effective decision making.
2) Clause 5.3 of ISO 19011:2018Determining and evaluating audit programme risks and opportunities.
So, not only do processes which are subject to audit contain risks and opportunities but audit itself has always had its own risks and opportunities associated with it. The 2018 version of 19011, expects the audit programme manager to make audit clients aware of risks and opportunities when putting together an audit programme and the subsequent resource implications.
Risks could include inadequate planning, inadequate resourcing, insufficient competence within an audit team, ineffective communication, poor coordination and management of audits, failure to conform to the principles of auditing, poor control of documented information and inadequate monitoring and reviewing of the audit programme.
This is a vital point. If audits cannot be adequately resourced and achieve their objective then they are not feasible and alternations must be made.
Opportunities can be combining or integrating audits; improved logistics; good matching of auditor competence to that needed to achieve audit objectives.
3) Clause 6.3.2 of ISO 19011:2018. Expansion of the guidance on conducting an audit, particularly the section on audit planning.
Clause 126.96.36.199 Risk based approach to planning. Whilst the 2011 version of 19011 stated that specific measures should be taken to address the effect of uncertainty on achieving audit objectives, the 2018 version states that plans should be detailed enough to reflect the risk of not achieving audit objectives and proposes consideration of the following:-
- The audit team and its overall competence
- Appropriate sampling techniques
- Opportunities to improve the effectiveness and efficiency of audit activities
- Risks created by ineffective audit planning
- Risks to the auditee created by performing the audit (effective planning, communication and overall competence of the auditor(s) will mitigate risks here).
4) Clause 188.8.131.52. Expansion of the generic competence requirements for auditors.
The first addition to the 2018 version of ISO 19011 is, the ability to understand the types of risks and opportunities associated with auditing and the principles of risk-based approach to auditing. Although, added to this new version of ISO 19011, the requirement of being able to “audit a process from start to finish, including the interrelations with other processes and different functions when appropriate” is rather stating the obvious in process auditing, now in its 18th year.
5) ISO 19011:2018 . Adjustment of terminology to reflect the process and not the object (“thing”)
This is seen throughout the entire document; the increased focus on the process approach in planning and conducting the audit reflects this, not that it was lacking in the 2011 version, but we see even more emphasis in the 2018 version. I would surmise that there are still issues with auditors failing to fully grasp auditing by process and the need to emphasise this is aligned to the guidance on auditors using their reasoned judgement (see also the notes on auditor competence) and seen in the following:-
Annex A. “A 2 Process Approach to Auditing. The use of a “process approach” is a requirement for all ISO management system standards in accordance with ISO/IEC Directives Part 1, Annex SL. Auditors should understand that auditing a management system is auditing an organisation’s processes and their interactions in relation to one of more management system standard(s). Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system”.
Annex A. “A 3 Professional judgement. Auditors should apply professional judgement during the audit process and avoid concentrating on the specific requirements of each clause of the standard at the expense of achieving the intended outcome of the management system. Some ISO management system standard clauses do not readily lend themselves to audit in terms of comparison between a set of criteria and the content of a procedure or work instruction. In these situations, auditors should use their professional judgement to determine whether the intent of the clause has been met”.
This is not as daunting as it may sound. It has always been a requirement for auditors to collect sufficient, valid, reliable, verifiable information to make reasoned judgements on the degree of conformity and to present such to the audit client; if they have not been doing so then the fault does not lie with any set of standards. My own auditing experience shows me that not nearly enough ongoing development of auditors takes place, not enough standardisation meetings are conducted, not enough analyses of internal audit as a function, of report writing, of evidence collection, of interpretation is carried out; not nearly enough use is made of audit as a management tool to provide information to inform the review and decision-making processes within P-D-C-A and all of this can be addressed.
Auditors need to ask their audit clients what their management system is for? What is it expected to achieve? How can you determine if it is adequately resourced, manned, monitored, measured etc if you don’t know the answer to this question and this bigger question is the one auditors need the answer to in exercising that professional judgement in determining whether the intent of clauses have been met?
6) Removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would not be practical to include competence for all disciplines).
I believe this is self-explanatory, however, we need more focus on performance evaluation of auditors within organisations.
7) Annex A. Expansion of Annex A to provide guidance on auditing (new) concepts such as organisational context, leadership and commitment, virtual audits, compliance and supply chain.
This is a useful addition and I particularly value the section on ‘life cycle’ (A. 11). The enormous amount of weighty information published on life cycle nearly all points to how difficult it is to in many instances, to adopt a fully comprehensive life cycle approach. So, again, we are in the hands of the auditor’s professional judgement and therefore this must indeed, be professional and justifiable.
I hope this guidance will drive auditors away from seeking comfort in a piece of paper which describes ‘organisational context’ etc. and will move them towards focusing on how a management system is conceived and constructed, managed and maintained to achieve strategic goals.