by Peter Holtmann
ISO 19011 has been used since 2002 to evaluate auditors regardless of industry, grade, or employment. The standard is the quintessential guide to which training providers, registrars, and auditors alike have based their development, assessment, and recognition programs. It should be regarded as essential reading to those entering the industry and as the go-to reference guide when working in the field.
ISO 19011:2011 represents a change in direction for the standard and for the technical committee that produced it. The introduction itself states a change in philosophy:
“Since the first edition of this International Standard was published in 2002, a number of new management system standards have been published. As a result, there is now a need to consider a broader scope of management system auditing, as well as providing guidance that is more generic…this second edition of this International Standard provides guidance for all users, including small and medium-sized organizations, and concentrates on what are commonly termed “internal audits” (first party) and “audits conducted by customers on their suppliers” (second party).”
The application of these changes includes a broadening of scope to “the auditing of any management systems,” defines the relationship between ISO 19011:2011 and ISO/IEC 17021, describes remote audit methods and their use for risk analysis in auditing, adds confidentiality as a new principle of auditing, strengthens the competence determination and evaluation process, and provides examples of discipline-specific knowledge and skills along with tables for guidance.
ISO 19011:2011 includes the same guidance on auditing management systems that was in its previous revision in addition to new guidance on the evaluation of competence of individuals involved in the audit process. This includes the person managing the audit program, auditors, and audit teams.
But wait, there’s more! The “free steak knives” in ISO 19011:2011 is its introduction of the concept of risk to management systems auditing. It states: “The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes.”
So where is the guidance on risk management or mitigation techniques? ISO 19011 discusses how organizations should focus their audit efforts on matters of significance to the management system but doesn’t mention types of risk assessment, mitigation, or management. These decisions are left to the training provider, registrar, audit program manager, or auditor. The concept of risk is important, and, in my opinion, a welcomed introduction to auditing, so I would have preferred to see an annex that focuses on risk methodologies in ISO 19011:2011.
The standard describes the elements of risk that an auditor should consider. This includes failure to set relevant audit objectives or determine the extent of the audit program, allowing insufficient time to develop the audit program or conduct an audit, and ineffective communication of the audit program. These are very appropriate and worthy topics to consider, but how does one go about assessing their risk? Is it merely documenting the risks? Is some form of Monte Carlo analysis employed? Or is it something more bespoke? There are simple and effective tools for evaluating risk, and it seems that risk training will now become a requirement of competency-based auditor certification.
ISO 19011:2011 also introduces the concept of team composition in relation to competence. It states: “In deciding the size and composition of the audit team for the specific audit, consideration should be given to the following… the overall competence of the audit team needed to achieve audit objectives, taking into account audit scope and criteria…”
Audit teams are usually formed by the audit program manager or a similar manager. Does this mean the program manager should be deemed competent too? The discussions I’ve had with registrars at several international associations indicate that this would be a good idea. Thus, training for audit program managers is a future market need. I would even go so far as to say that certification of audit program managers is inevitable.
Interestingly, ISO 19011:2011 describes specific knowledge and skills that must not only be possessed but also demonstrated. It also addresses sector-specific knowledge and skills. The International Accreditation Forum (IAF) has identified and categorized 39 sectors that translate into economic sectors or activities. Examples of these scopes include agriculture, mining, publishing, nuclear fuel, ship building, hotels, and restaurants.
To tackle all 39 scopes and assign competency evaluations (knowledge and skills exams) would be a very daunting prospect for any program manager. Although there are registrars that use these examinations, they are for internal use only and comply with ISO 17021. So how does a garden-variety auditor—contractor or otherwise—demonstrate competence to specific sectors?
ISO 19011 doesn’t directly address this issue, although it addresses it conceptually. Call it the “helicopter view” of sector-specific competency. The standard identifies it as follows: “Auditors should have the discipline and sector-specific knowledge and skills that are appropriate for auditing the particular type of management system and sector. It is not necessary for each auditor in the audit team to have the same competence; however, the overall competence of the audit team needs to be sufficient to achieve the audit objectives.”
ISO 19011:2011 includes an annex that gives some detail about sector-specific competencies, but only in regard to key management system standards. Considering that the introduction of the standard talks of moving away from specific standards for quality management systems, environmental management systems, and occupational health and safety (among others), it doesn’t include much theory or concepts of the application of these very standards.
ISO 19011:2011 does, however, require the demonstration of discipline-specific management system requirements and principles and their application; legal requirements relevant to the discipline and sector; requirements of interested parties relevant to the specific discipline; and risk management principles, methods, and techniques relevant to the discipline and sector.
There are other requirements in ISO 19011:2011, but I spotlight these requirements because I haven’t yet seen a training course, examination, or evidence from an audit log that appropriately answers these needs. This will make the job of audit program manager charged with assigning audit teams just a little bit harder.
ISO 19011:2011 requires auditors to understand auditees’ organizational structure, business, and management practices including governance, size, structure, functions, and relationships; budgeting and personnel management; cultural and social characteristics; and legal and contractual requirements. Required legal knowledge includes laws and regulations and their governing agencies, basic legal terminology, and contracting and liability.
Although these requirements make for an extremely detailed audit, I have the suspicion that audit teams will grow to accommodate these needs. This may increase on site duration and expense, so auditees should be briefed on the requirements for such an audit. Accordingly, the certification sales manager must ensure that the audit team members possess the required competencies to meet the expectations of certification to the customer.
What does all this mean? Is this a good thing for our industry? Is it creating jobs? How do smaller industries support these extra layers of certification requirements? Are training providers geared to deliver the necessary competencies defined in ISO 19011:2011 and can they support the professional development requirements for current auditors? Most important, was industry consulted before creation of these requirements?
I think that ISO 19011:2011 is progressive and accounts for the future needs of such standards as social responsibility, sustainability, and business continuity. I believe that it will elevate the auditing profession to be on par with Certified Public Accountants, financial auditors, and corporate risk managers.
I also have concerns over the readiness of industry to implement ISO 19011:2011. I don’t see a global infrastructure that supports the training and development needs the standard requires or that registrars are ready for the increased demand on their recruiting, human resources, and development teams.
However, let’s not forget the focus of ISO 19011:2011: first- and second-party auditors and their program managers, industry, the 39 IAF economic sectors, quality assurance supplier auditors, in-house management system auditors, and contract auditors. Most important, how are they prepared for ISO 19011:2011?
About the author
Peter Holtmann is president and CEO of RABQSA International Inc. and has more than 10 years of experience in the service and manufacturing industries. He received his bachelor’s degree in chemistry from the University of Western Sydney in Australia and has worked in industrial chemicals, surface products, environmental testing, pharmaceutical, and nutritional products. Holtmann has served on various international committees for the National Food Processors Association in the United States and on the Safe Quality Foods auditor certification review board.