Please also visit following blogs:
- 'EMS Awareness' Blog

Academic comments are invited. Please do not include your website in your comments.

Keshav Ram Singhal

Various information, quotes, data, figures used in this blog are the result of collection from various sources, such as newspapers, books, magazines, websites, authors, speakers etc. Unfortunately, sources are not always noted. The editor of this blog thanks all such sources.

People from more than 145 countries/economies have visited this blog: Afghanistan, Albania, Algeria, Angola, Argentina, Aruba, Australia, Austria, Azerbaijan, Bahrain, Bangladesh, Belarus, Belgium, Belize, Benin, Bhutan, Bosnia and Herzegovina, Botswana, Brazil, Brunei, Bulgaria, Burundi, Cameroon, Cambodia, Canada, Chile, China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Ethiopia, European Union, Fiji, Finland, France, Georgia, Germany, Ghana, Gibraltar, Greece, Guatemala, Guyana, Haiti, Honduras, Hong Kong S. A. R. (China), Hungary, Iceland, India, Indonesia, Iraq, Ireland, Israel, Italy, Ivory Coast, Jamaica, Japan, Jersey, Jordan, Kazakhstan, Kenya, Kuwait, Laos, Latvia, Lebanon, Lesotho, Libya, Lithuania, Luxembourg, Macao S. A. R. (China), Macedonia, Malawi, Malaysia, Maldives, Malta, Manila, Mauritius, Mexico, Moldova, Mongolia, Montenegro, Morocco, Mozambique, Myanmar, Namibia, Nepal, Netherlands, New Zealand, Nigeria, Niue, Norway, Oman, Pakistan, Palestinian Territory, Panama, Papua New Guinea, Peru, Philippines, Poland, Portugal, Puerto Rico, Qatar, Rwanda, Romania, Russia, Saint Lucia, Samoa, Saudi Arabia, Saint Kitts and Navis, Serbia, Seychelles, Singapore, Slovakia, Slovenia, Somalia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tanzania, Thailand, Trinidad and Tobago, Tunisia, Turkey, Turks and Caicos Islands, UAE, Uganda, UK, Ukraine, USA, Uzbekistan, Venezuela, Vietnam, Zambia, Zimbabwe etc. Total visitors number crossed 100,000 on 14. 02. 2013. Total visitors number crossed 145,000 on 30. 09. 2013. Total visitors > 200,000 (from 01.08.2014)

Thursday, September 22, 2011

ISO 19011:2011

ISO 19011:2011 – Guidelines for auditing management systems – Expected to be published soon

Keshav Ram Singhal (Email - krsinghal@rediffmail.com)

International Organization for Standardization released ISO/FDIS 19011:2011 – Guidelines for auditing management systems in July 2011 to ISO members. It is expected that international standard ISO 19011:2011 will be published in October 2011.

ISO 19011:2002 is the current auditing standard that provides guidelines for auditing quality and/or environmental management system. This standard was long due for revision and since the initial publication of ISO 190011 in 2002 a number of new management system standards have been published. This has resulted in a need to consider a broader scope of management system auditing as well as providing guidance that is more generic. This is now reflected in ISO 19011:2011 that has the revised title “Guidelines for auditing management systems” instead of “Guidelines for auditing quality and/or environmental management systems” as mentioned in the existing standard ISO 19011:2002. ISO 19011:2011 will be useful for auditing any management system and also it will be useful for auditing integrated management as it will –
- Provide guidance on auditing all types of management systems, and
- Facilitate combined (integrated) audit of two or more management systems implemented by an organization.

ISO 19011:2011 will provide guidance for all users, including small and medium sized organizations and will concentrates on what are commonly termed internal (first party) and second party audits as often conducted by customers on their suppliers.
International Organization for Standardization (ISO) has already published ISO 17021:2011, a standard for conformity assessment that provides requirements for bodies providing audit and certification of management systems. After publication of ISO 19011:2011, there will be two relevant standards –
- ISO 17021:2011, Conformity assessment – Requirements for bodies providing audit and certification of management systems
- ISO 19011:2011, Guidelines for auditing management systems

The publication of ISO 19011:2011 will provide auditors, organizations implementing management systems and organizations (including certification bodies) needing to conduct audits of management systems an opportunity to re-assess their own practices and identify improvement opportunities in conducting audits.

What are the changes within ISO 19011:2011?

ISO 19011 is being revised to provide persons involved in management system auditing with good audit practice guidance relevant to the present environment. Presently there are many organizations implement management system covering multiple disciplines, for example quality (ISO 9001), environment (ISO 14001), occupational health and safety (OHSAS 18001) and information security (ISO 27000) etc.
The Principles of auditing on which the guidance is based are being revised and expanded to include the new auditing principle of ‘Confidentiality – security of information’. This will be a principle that will require auditors to be prudent in the use and protection of information acquired in the course of their duties during auditing management systems..

The main body of ISO 19011:2011 will set out good practice for Managing an Audit Programme and Performing an Audit. It will update to reflect current thinking and in parts expanded significantly. These sections will provide detailed guidance; intended to be used flexibly according to the size, level of maturity of an organization’s management system, the nature and complexity of the organization to be audited. The concept of risk in auditing is being introduced. Some guidance will be provided on combined audits, where two or more management systems of different disciplines are audited together (for example QMS and EMS, EMS and OHSAS, QMS and OHSAS). Also, the use of technology in remote auditing will be acknowledged.
Changes are being introduced in the guidance on Competence and evaluation of auditors. ISO 19011:2011 will address auditing management system covering multiple disciplines some of these may be wide ranging. The significant changes include:

- ISO 19011:2011 will identify that necessary auditor competence comprises generic knowledge and skills of management systems, plus discipline specific (for example, QMS) and sector specific (for example, aerospace) knowledge and skills. Annex A (informative) of the standard will provide examples of discipline-specific knowledge and skills of auditors, including:
- Transportation safety management
- Environmental management
- Quality management
- Records management
- Resilience, security, preparedness and continuity management
- Information security
- Occupational health and safety

ISO 19011:2011 will not include guidance on sector specific knowledge and skills of auditor. These may be developed later and published separately by the International Organization for Standardization (ISO).

The existing standard ISO 19011:2002 provides guidance on education, work experience, auditor training and audit experience that contribute to development of the knowledge and skills needed to perform audits and lead audit teams. ISO 19011:2011 will also provide guidance on knowledge and skills of management system auditors and an audit team leader but it will not make reference to auditors having completed education, work experience, auditor training and audit experience. This change will recognize that education, work experience, training and audit experience are enablers to competence, which ISO 19001:2011 and ISO 17021:2011 define as ‘ability to apply knowledge and skills to achieve intended results’. ISO 19011:2011 will recognize evaluation of competence needs, which may be carried out in a variety of ways, for example a combination of testing and examination, interview and observed audits.

1. Scope – There will be no significant changes.

2. Informative references – There will be no previous reference to terms and definitions given in ISO 9000 (QMS) and ISO 14050 (EMS).

3. Terms and definitions – New definitions for Observer, Guide and Risk are being introduced. The term risk will be used in ISO 19011:2011 in context of “risk-based auditing” and also “audit programme risks”. The definition of competence is being revised and although the change in wording appears slight it will require organizations to determine competence to achieve intended results. The starting point for which will be to define the intended results for the various activities involved in managing an audit programme and performing audits. This change will be consistent with ISO 17021:2011, a standard on conformity assessment.

4. Principles of auditing – There will be six principles in ISO 19011:2011 instead of five in ISO 19011:2002. Principles (a) – (d) will relate to auditors and the person managing the audit programme. Principles (e) and (f) will relate to the audit.

(a) Integrity – The principle of integrity will replace and expand the principle of ethical conduct mentioned in ISO 19011:2002. The principle of integrity is the foundation of professionalism.

(b) Fair presentation – There will be minor expansion that will include the obligation to report truthfully and accurately.

(c) Due professional care – the application of diligence and judgement in auditing. ‘Having the necessary competence is an important factor’ (in ISO 19011:2002) will be replaced with ‘An important factor in carrying out their work with due professional care is having the ability to make reasoned judgement in all audit situations’ in ISO 19011:2011.

(d) Confidentiality – security of information. It will be a new auditing principle, which will address the need for auditors to exercise discretion in the use and protection of information acquired in the course of their duties. The principle will refer to inappropriate use of such information for personal gain or in a manner detrimental to the legitimate interests of the auditee.

(e) Independence – the basis for the impartiality of the audit and objectivity of audit conclusions. ISO 19011:2011 will provide more specific guidance on the extent of independence that needs to be achieved, whilst recognizing that in small organizations it may be difficult for internal auditors to be fully independent. ISO 19011:2011 will refer to internal auditors being independent from the operating managers of the function being audited. ISO 19011:2011 will reflect the interpretation of independence that certification bodies generally apply.

(f) Evidence-based approach –There will be minor rewording in ISO 19011:2011 that will include the rational method for reaching reliable and reproducible audit conclusions in a systematic way.

5. Managing an audit programme – In this section ISO 19011:2011 will have considerable revision. The language of guidelines in this section will be easy to understand. There will be more clarity. Managing an audit programme guidelines will be structured in the following clauses:

5.1 - General

5.2 – Establishing the audit programme objectives

5.3 – Establishing the audit programme

5.4 – Implementing the audit programme

5.5 – Monitoring the audit programme

5.6 – Reviewing and improving the audit programme

5.1 General – This clause of the ISO 19011:2011 will recognize that an organization may implement a number of management system standards. Where the existing issue of ISO 19011:2002 refers to an organization establishing one or more audit programmes, ISO 19011:2011 will refer to an audit programme that can include audits considering one or more management system standards. Practically there will be little difference.

In this clause 5.1 of ISO 19011:2011 there will be guidance to allocate audit resources to audit those matters of significance within the management system. This concept is known as risk-based auditing.

5.2 Establishing the audit programme objectives – Title of this clause is being revised and also guidelines for structuring the content to follow the process flow guidance on the extent of an audit programme is being transferred to section 5.3.3.

5.3 Establishing the audit programme – ISO 19011:2002 states the title ‘Audit programme responsibilities, resources and procedures’ and this is being revised as new title ‘Establishing the audit programme.’. New to this issue is guidance on ‘Competence of the person managing the audit programme’. ISO 19011:2011 will add new guidance on ‘Identifying and evaluating audit programme risks’.

5.4 Implementing the audit programme – ISO 19011:2011 will provide more extensive guidance.

There will be sub-clause ‘Define the objectives, scope and criteria for an individual audit’. The sub-clause guidelines will identify that each audit should have a clear objective. This section will also highlight issues to consider when two or more management systems of different disciplines are audited together.
There will be a new sub-section ‘Selecting the audit methods’ and additional guidance on this issue will be provided in Annex B of ISO 19011.

Other sub-clauses will include: Selecting the audit team members, Assigning responsibilities for an individual audit to the team leader, Managing the audit programme outcome, Managing and maintaining audit programme records

In short we can conclude that section 5.4 of ISO 19011:2002 is being revised to provide comprehensive guidance to what was previously a list of headline topics that needed to be addressed when implementing the audit programme. Section 5.5 of ISO 19011:2002 – Audit programme records will be part of section 5.4

5.5 – Monitoring the audit programme and 5.5 – Reviewing and improving the audit programme - These two sections will replace what is stated in ISO 19011:2002 in clause 5.6 – Audit programme monitoring and reviewing. There will be minor expansion and reference to consider, such as, evaluate the performance of audit team members, consider as part of a review, alternative or new auditing methods, review the effectiveness of the measures to address the risks associated with the audit programme, review confidentiality and information security issues relating to the programme

6. Performing an audit – The clause title in ISO 19011:2002 is ‘Audit activities’ which is being revised. In this clause of ISO 19011:2011 you will find improved guidance. The section will be structured to follow the audit process flow, as under:

6.1 General

6.2 Initiating the audit

6.3 Preparing audit activities

6.4 Conducting the audit activities

6.5 Preparing and distributing the audit report

6.6 Completing the audit

6.7 Conducting audit follow-up

There will be few changes in the guidelines in ISO 19011:2011.

7. Competence and evaluation of auditors – Some significant changes are being introduced in ISO 19011:2011. The new standard will address auditing management system covering multiple disciplines. New guidance will include: Determining auditor competence to fulfill the needs of the audit programme, Personal behaviour, Knowledge and skills. The clause ‘Knowledge and skills’ will comprise: Generic knowledge and skills of management system auditors, Discipline and sector specific knowledge and skills of management system auditor. ISO 19011:2002 provides guidance for quality management system and/or environmental management system auditors, each having its own section providing guidance on auditor knowledge and skill requirements. In ISO 19011:2011 these two sections of ISO 19011:2002 will be replaced by one that will identify knowledge and skills that need to be applied to all management systems, for example, knowledge of: Legal requirements relevant to the specific discipline, fundamentals of the discipline and the application of business and technical discipline-specific methods, techniques, processes and practices sufficient to enable the auditor to examine the management system and generate appropriate audit findings and conclusions, risk management principles, methods and techniques relevant to the discipline and sector to enable the auditor to evaluate and control the risks associated with the audit programme.

ISO 19011:2011 Annex A will provide guidance on discipline-specific knowledge and skills of auditors for: Transportation safety management, Environmental management, Quality management, Records management, Resilience, security, preparedness and continuity management, Information security, Occupational health and safety.

ISO 19011:2011 will provide guidance on Generic knowledge and skills of an audit team leader, that will include knowledge and skills to: balance the strengths and weaknesses of the individual audit team members, develop a harmonious working relationship among the audit team members, manage the uncertainty of achieving audit objectives

ISO 19011:2011 will provide guidance on knowledge and skills for auditing management systems addressing multiple disciplines, achieving auditor competence.

Clause 7.6 of ISO 19011:2002 provides guidance on auditor evaluation, having sub-clauses, 7.6.1 – General and 7.6.2 – Evaluation process. ISO 19011:2011 will provide more clear guidance on auditor evaluation specifying guidance on establishing the auditor evaluation criteria, selecting the appropriate auditor evaluation method, conducting auditor evaluation, maintaining and improving auditor competence.

Thus we will find ISO 19011:2011 as a useful guidance document that will enable auditors to have more clear guidelines on auditing any management systems. The whole process of revising and preparing ISO 19011:2011 is under auspices of the ISO Joint Technical Co-ordination Group and administered by the ISO Technical Committee ISO/TC 176, ISO subcommittee ISO/TC 176/SC3 and also included interested parties for example ISO/TC 207, ISO/TC 34. ISO 19011:2011 will be the second edition of ISO 19011. The second edition of ISO 19011 will cancel and replace ISO 19011:2002 upon its publication.

Additional comments - This article written before publication of ISO 19011:2011. Please note that International Organization for Standardization (ISO) has published ISO 19011:2011 standard on 11 November 2011.

- ISO Website
- ISO 19011:2002
- ISO/FDIS 19011:2011
- IRCA Website


Joshua said...

This is very detailed and informative. When it comes to auditing, a certain number of protocols should be followed. It is commendable that companies learn to integrate them in their operations.
Joshua Green

isocon said...

ISO Auditor Training enables participants to develop the expertise needed to audit an Information Security Management System (ISMS) and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques.

ISO Auditor Training