An Introduction to ISO 19011

Now in its 2018 edition, ISO 19011 sets the standard for building a world-class auditing system for organizations. However, note that this standard doesn’t have a certification entailing specific requirements. Instead, it aids organizations in properly implementing ISO’s management system standards through cross-checking measures and thorough documentation, among other things.

Purpose

ISO 19011 establishes benchmarks for a standardized and well-functioning audit system. It provides them with a solid framework to build their processes from, both for auditing management systems and establishing audit programs. As a result, organizations can plan, conduct, and manage audits in a systematic and objective manner.

Moreover, the ISO 19011 standard enables organizations to enhance their management systems through a rigorous auditing arm. It ensures conformity to ISO’s management system standards such as but not limited to the following:

• ISO 9001 – Quality Management System (QMS)
• ISO 14001 – Environmental Management System (EMS)
• ISO 31000 – Risk Management System

ISO 9001 vs. ISO 19011: What’s the Difference?

While belonging to the same ISO 9000 family, these two ISO standards perform distinct yet complementary functions. Discover the differences and similarities between ISO 9001 and ISO 19011 through the comparison table below.

	ISO 19011:2018	ISO 9001:2015
Name	Quality management systems – Guidelines for Auditing Management Systems	Quality management systems – Requirements
Latest version	2018	2015
Content	Recommendations for evaluating existing management systems and building audit programs	Requirements and best practices for building a QMS
Purpose	Guide organizations in accurately assessing their management system performance and finding areas for improvement.	Set benchmarks for establishing quality metrics and standards in organizational processes and outputs.
Best used for	Applying best practices for creating a solid auditing system	Implementing ISO standards for managing quality systems
Certifiable?	No	Yes

What is an Audit?

Within the ISO 19011 framework, an audit follows a methodical process to objectively examine and prove that an organization abides by specific rules, standards, and regulations. Proof often comes in the form of documents and reports of business operations, protocols, and practices relevant to the scope, objectives, and criteria of the audit plan.

Audits are typically classified into two types: internal and external. The sections below discuss how each of them works for an organization.

Internal Audit

Internal audits, otherwise known as self-audits, pertain to auditing processes conducted inside the organization. With this type of audit, the organization (or an institution on its behalf) initiates an audit program to assess if its operations are efficient and aligned with statutory or standard requirements.

They also allow organizations to identify weaknesses in their processes and continuously improve their management systems.

External Audit

On the other hand, external audits often involve parties outside the organization. They can stem from either of the following parties:

• Second-party – customers, clients, vendors, and other stakeholders working with the company
• Third-party – independent auditing bodies (for certification) and government agencies (for statutory compliance)

7 Principles of Auditing

ISO 19011 outlines seven principles forming the cornerstones of audit processes and programs. They direct audit teams on the right path and ensure the effectiveness of an organization’s audit system. These guiding principles are as follows:

1. Integrity – Uphold fairness, honesty, and responsibility when managing audit programs and performing audits.
2. Fair presentation – Present audit findings and conclusions with veracity, objectivity, accuracy, timeliness, and completeness.
3. Due professional care – Exercise due diligence and reasonable judgment-making in all audit situations.
4. Confidentiality – Safeguard audit information sources, especially sensitive or confidential ones.
5. Independence – Ensure an impartial, bias-free judgment throughout the audit process.
6. Evidence-based approach – Anchor the audit findings and conclusions on verifiable evidence with appropriate sample sizes.
7. Risk-based approach – Incorporate risks and opportunities in the entire audit process lifecycle—from plans to communication materials.

Establishing an Audit Program

Successful audits become possible with the help of robust audit programs. After all, they steer auditors in the right direction by establishing a specific time frame and purpose for any audits to be conducted. Organizations can also scale their programs depending on their size.

An effective audit program consists of the following components:

• Goals and objectives of the audit program
• Opportunities and risks associated with the audit program
• Type of audit(s) – internal, external
• Scope – extent, location, limitations
• Schedule – amount (how many times), frequency (how often), duration (how long)
• Method – remote, on-site, combination
• Criteria for the auditing process – to determine conformity with rules or standards
• Requirements for audit team selection
• Other relevant documents and information

Sustaining this program requires a consistent review and monitoring mechanism to check if the organization meets its objectives, identify areas that need change, and pursue continuous improvement.

Guidelines for Auditing a Management System

Audits are necessary for ensuring conformity to specific local and international standards such as ISO. In connection with this, they will require your organization to fill various roles to help you achieve their targets.

Per most ISO standards, it’s important to keep in mind that your strategy will depend on the management system you plan to implement. After all, the standards for a quality management system would differ from an environmental management system.

Understanding the auditing process is key to its effective implementation. Read on to learn how this process works in the context of ISO 19011.

Planning

The initial phases of an audit consist of planning out details, ranging from the audit objectives to audit teams. The tasks involved in this stage of the auditing process include the following:

• Determining the objectives for conducting the audit
• Forming and selecting qualified members of the audit team
• Designating roles and responsibilities for auditors
• Preparing a checklist of tasks and action items for the audit
• Identifying the scope, location, amount, and frequency of audits
• Setting procedures to review the auditing process

Audit Completion

Upon finalizing the audit plan and objectives, it’s time to carry out the audit process. The audit team now must collect, examine, and verify evidence presented through internal documents, process reports, and other materials.

Once the audit team has completed their assessment, they will prepare an audit report and address their findings to the relevant persons, whether the upper management or the entire organization.

Process and Results Review

The auditing process doesn’t stop after sharing the results with the team. Beyond analyzing the existing documentary evidence, auditors must also recall and evaluate the overall process and results of their audits.

In particular, the audit team must perform the following functions:

• Observe and analyze recurring trends and patterns in their findings
• Assess the effectiveness of solutions in addressing issues
• Examine the records from their audit program
• Verify conformity with the established procedures in their audit program
• Ensure information security and confidentiality

These activities ensure that the audits follow the guidelines set in their audit program plan. They also open opportunities for organizations to enhance their existing systems and auditing mechanisms.

Strengthen Auditing Systems with SafetyCulture