by Elisabeth Thaller
After the second meeting of the international committee ISO/PC 302 JWG1, the vision of the revised ISO 19011—Guidelines for auditing management systems has become much clearer.
Prompted by a presentation by the Italian delegation, an effort was made to include changes to the standard that go beyond the initially discussed light adjustments and focus on a revised document that better reflects organizations’ needs and the framework of ISO’s Annex SL High Level Structure. This structure provides a standardized approach to management system standards by using identical subclause titles, text, and common terms and core definitions to facilitate the integration of several management system standards within one organization’s business management system.
Based on the High Level Structure, the new generation of ISO management system standards focuses on the context of the organization and its internal and external issues, the integration of the management system within the organization’s business—yes, some people still don’t get it— and the overall outcome and effectiveness of a management system which can address one or several standards.
Organizations can be simple to extremely complex, and the challenge lies in creating standards that apply to all. The High Level Structure promotes a management system that is risk-driven, and we auditors should be prepared to face the challenge of recognizing the gaps within the organization that prevent it from being successful. After all, the purpose of a management system is to provide a systemic approach to achieving better results in relation to the needs and expectations of the organization’s interested parties. The challenge of ISO 19011 is to provide sufficient and appropriate guidance to facilitate consistent and valuable audit outcomes without being prescriptive.
Now let’s look at some of the changes:
Risk-based approach: This has been the most significant addition to ISO 19011 so far. The High Level Structure requires that planning be done based on the organization’s risks and opportunities (section 6.1), which in turn should be derived from the organizational context and its internal and external issues (sections 4.1 and 4.2). The current ISO 19011:2011 includes risk considerations only in relation to the actual audit program and individual audits, that is the risks of not achieving the audit objectives and the risks to the auditee as a result of the audit activities.
Based on all the above, several significant additions have been made to the text of ISO 19011, starting with the inclusion and definition of a new auditing principle:
“Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.”
This new principle has been interwoven into the structure of the rest of the document, starting with Section 5—Managing the audit program, which suggests that consideration be given to the organization’s identified risks and opportunities and the actions taken to address them when preparing the audit program.
While the High Level Structure requires internal audits “be conducted at planned intervals,” the new ISO 19011 suggests that audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower performance.
There will also be an annex to ISO 19011:2018 with guidance on how to audit risks and opportunities. The defined core objectives for the risk-based approach include assuring the credibility of the risk identification process, the correct determination and management of risks, and the review of how the organization tests those risks and opportunities.
In Section 6—Conducting and audit, the risk-based approach has been included mostly in relation to the planning of the audit.
Section 7—Competence and evaluation of auditors has not undergone any major changes so far. An addition worth mentioning is the inclusion of knowledge and skills of auditors that should cover the needs and expectations of relevant interested parties that impact the management system. In relation to the continual professional development, the changes in sector or discipline should be taken into account.
Other additions to the standard that many may find useful are further guidance on lifecycle, methods of auditing, professional judgment, and performance outcomes.
There are a few other changes within the standard that focus on aligning its wording and applicability to the new generation of management system standards utilizing the High Level Structure, and to provide a less prescriptive approach—mostly in regard to the documented evidence of the different steps within the audit process.
I would like to see more guidance on a process approach to auditing, which I believe is still a gray area for many auditors, but let’s see what comes up during the next round of review. There is still a long way to go before the final document will be released.
One thing to remember, when I work with auditors I usually ask the question, “What is the purpose of a management system auditor?” Of course, the response depends on many factors, including the audit objectives of the organization. However, if we need to summarize it in one sentence, I would say the auditor’s purpose is to add value to the organization through the auditing process and its outcome. This will still remain a challenge and no matter how well the new ISO 19011 will be written, it’s the responsibility of all parties involved, including the persons managing the audit programs, the auditees, the audit clients, the training providers, and each individual auditor to make it happen.
The next international meeting will be in November in Mexico City, so stay tuned.
About the author
Elisabeth Thaller has provided management system consulting, auditing, and training for the past 20 years. During this time, Thaller has coached private and government organizations on the implementation of diverse management system and conformity assessment standards, including ISO 17024 and ISO 17021.
As a contracted evaluator with Exemplar Global, Thaller has performed training provider and course certification audits in the US, Europe, Mexico, and South America.
Thaller is a member of the U.S. TAG to ISO/PC 302 Guidelines for auditing management systems and is actively involved in the current review of ISO 19011. Thaller previously participated in the ISO/TC 176 STTG (ISO 9001:2015), ISO/TC 207 STTF (ISO 14001:2015), and ISO/CASCO/STTF (ISO 17021:2015).