What is ISO 19011?
ISO 19011:2018 is a guidance document for organizations that are establishing audit programs and performing audits for existing management systems. It covers the entire lifecycle of auditing systems—from the blueprint to evaluation. The auditing guidelines rest upon seven principles and encompass continuous improvement strategies for a sustained audit implementation.
Now in its 2018 edition, ISO 19011 sets the standard for building a world-class auditing system for organizations. However, note that this standard doesn’t have a certification entailing specific requirements. Instead, it aids organizations in properly implementing ISO’s management system standards through cross-checking measures and thorough documentation, among other things.
Purpose
ISO 19011 establishes benchmarks for a standardized and well-functioning audit system. It provides them with a solid framework to build their processes from, both for auditing management systems and establishing audit programs. As a result, organizations can plan, conduct, and manage audits in a systematic and objective manner.
Moreover, the ISO 19011 standard enables organizations to enhance their management systems through a rigorous auditing arm. It ensures conformity to ISO’s management system standards such as but not limited to the following:
- ISO 9001 – Quality Management System (QMS)
- ISO 14001 – Environmental Management System (EMS)
- ISO 31000 – Risk Management System
ISO 9001 vs. ISO 19011: What’s the Difference?
While belonging to the same ISO 9000 family, these two ISO standards perform distinct yet complementary functions. Discover the differences and similarities between ISO 9001 and ISO 19011 through the comparison table below.
ISO 19011:2018 | ISO 9001:2015 | |
Name | Quality management systems – Guidelines for Auditing Management Systems | Quality management systems – Requirements |
Latest version | 2018 | 2015 |
Content | Recommendations for evaluating existing management systems and building audit programs | Requirements and best practices for building a QMS |
Purpose | Guide organizations in accurately assessing their management system performance and finding areas for improvement. | Set benchmarks for establishing quality metrics and standards in organizational processes and outputs. |
Best used for | Applying best practices for creating a solid auditing system | Implementing ISO standards for managing quality systems |
Certifiable? | No | Yes |
What is an Audit?
Within the ISO 19011 framework, an audit follows a methodical process to objectively examine and prove that an organization abides by specific rules, standards, and regulations. Proof often comes in the form of documents and reports of business operations, protocols, and practices relevant to the scope, objectives, and criteria of the audit plan.
Audits are typically classified into two types: internal and external. The sections below discuss how each of them works for an organization.
Internal Audit
Internal audits, otherwise known as self-audits, pertain to auditing processes conducted inside the organization. With this type of audit, the organization (or an institution on its behalf) initiates an audit program to assess if its operations are efficient and aligned with statutory or standard requirements.
They also allow organizations to identify weaknesses in their processes and continuously improve their management systems.
Create Your Own Internal Audit Checklist
External Audit
On the other hand, external audits often involve parties outside the organization. They can stem from either of the following parties:
- Second-party – customers, clients, vendors, and other stakeholders working with the company
- Third-party – independent auditing bodies (for certification) and government agencies (for statutory compliance)
7 Principles of Auditing
ISO 19011 outlines seven principles forming the cornerstones of audit processes and programs. They direct audit teams on the right path and ensure the effectiveness of an organization’s audit system. These guiding principles are as follows:
- Integrity – Uphold fairness, honesty, and responsibility when managing audit programs and performing audits.
- Fair presentation – Present audit findings and conclusions with veracity, objectivity, accuracy, timeliness, and completeness.
- Due professional care – Exercise due diligence and reasonable judgment-making in all audit situations.
- Confidentiality – Safeguard audit information sources, especially sensitive or confidential ones.
- Independence – Ensure an impartial, bias-free judgment throughout the audit process.
- Evidence-based approach – Anchor the audit findings and conclusions on verifiable evidence with appropriate sample sizes.
- Risk-based approach – Incorporate risks and opportunities in the entire audit process lifecycle—from plans to communication materials.
Establishing an Audit Program
Successful audits become possible with the help of robust audit programs. After all, they steer auditors in the right direction by establishing a specific time frame and purpose for any audits to be conducted. Organizations can also scale their programs depending on their size.
An effective audit program consists of the following components:
- Goals and objectives of the audit program
- Opportunities and risks associated with the audit program
- Type of audit(s) – internal, external
- Scope – extent, location, limitations
- Schedule – amount (how many times), frequency (how often), duration (how long)
- Method – remote, on-site, combination
- Criteria for the auditing process – to determine conformity with rules or standards
- Requirements for audit team selection
- Other relevant documents and information
Sustaining this program requires a consistent review and monitoring mechanism to check if the organization meets its objectives, identify areas that need change, and pursue continuous improvement.
Improve your GRC management
Ensure Compliance with ISO 19011 Training
Training is a crucial asset for professionals aiming to excel in auditing practices and contribute to organizational success. With ISO 19011 training, you’ll gain the knowledge and skills to conduct effective audits, assess management systems, and ensure ISO compliance. You’ll become a competent auditor who is capable of driving performance improvement and achieving quality objectives.
With SafetyCulture Training you can transform your ISO auditor training materials into engaging and accessible slides that are easy to digest and retain. They’re compatible with any device, so you can access your course and continuously develop your skills even on the go. Say goodbye to dull manuals and hello to captivating, effective learning.
Guidelines for Auditing a Management System
Audits are necessary for ensuring conformity to specific local and international standards such as ISO. In connection with this, they will require your organization to fill various roles to help you achieve their targets.
Per most ISO standards, it’s important to keep in mind that your strategy will depend on the management system you plan to implement. After all, the standards for a quality management system would differ from an environmental management system.
Understanding the auditing process is key to its effective implementation. Read on to learn how this process works in the context of ISO 19011.
Planning
The initial phases of an audit consist of planning out details, ranging from the audit objectives to audit teams. The tasks involved in this stage of the auditing process include the following:
- Determining the objectives for conducting the audit
- Forming and selecting qualified members of the audit team
- Designating roles and responsibilities for auditors
- Preparing a checklist of tasks and action items for the audit
- Identifying the scope, location, amount, and frequency of audits
- Setting procedures to review the auditing process
Audit Completion
Upon finalizing the audit plan and objectives, it’s time to carry out the audit process. The audit team now must collect, examine, and verify evidence presented through internal documents, process reports, and other materials.
Once the audit team has completed their assessment, they will prepare an audit report and address their findings to the relevant persons, whether the upper management or the entire organization.
Process and Results Review
The auditing process doesn’t stop after sharing the results with the team. Beyond analyzing the existing documentary evidence, auditors must also recall and evaluate the overall process and results of their audits.
In particular, the audit team must perform the following functions:
- Observe and analyze recurring trends and patterns in their findings
- Assess the effectiveness of solutions in addressing issues
- Examine the records from their audit program
- Verify conformity with the established procedures in their audit program
- Ensure information security and confidentiality
These activities ensure that the audits follow the guidelines set in their audit program plan. They also open opportunities for organizations to enhance their existing systems and auditing mechanisms.