by Duke Okes
ISO 19011 is a guidance document (vs. a standard) originally issued in 2002, then revised in 2011 and 2018. Each revision broadened the application to be relevant for a wider range of management systems. As one would expect, ISO 19011 contains lots of information on how to plan, conduct and report audits, such as is typically included in an internal auditor or lead auditor training course. It also includes information some might find useful for auditing to the latest edition of ISO 9001 (and other standards based on it) such as how to audit context, leadership and commitment, and risks and opportunities.
But perhaps the more valuable content is on how to manage an audit program, which is usually not included in auditor training. Yet the impact of the audit program will be affected not only by how well audits are performed, but also on whether audits and the audit program are aligned with organizational strategy and objectives.
Managing a Management System Audit Program
Let’s look at some of the components required for managing an audit program according to ISO 19011, plus a few personal thoughts:
Audit Program Objectives – In many organizations audit objectives are often not explicitly set, but the implied objective is to carry out the audits as required by the relevant management system standard. Granted, this is perhaps a mandatory objective, but it does little to guide the audit program. In addition to measuring compliance to customer, regulatory, and internal requirements, audits could:
- Help identify unaddressed risks;
- Evaluate the degree of alignment of processes, their objectives, and the metrics used to measure performance; and/or
- Identify waste in the management system, etc.
In other words, compliance to poorly designed processes won’t lead to a very effective or efficient organization. In addition, the life-cycle perspective included in ISO 19011 indicates that audit objectives are likely to change over time as the level of maturity of products, the management system, and the organization evolve. Figure 1 is an example of this concept, indicating how audit orientation and success criteria will change over time, beginning in quadrant one and progressing through quadrants two, three, and four, as a management system matures.
Responsibilities of the Audit Program Manager – The role of the audit program manager should be more than creating a schedule, selecting auditors to carry out the schedule, and tracking performance against the schedule. Setting audit program objectives requires the program manager take on a leadership role that includes being knowledgeable of the organization’s strategy and objectives, expectations of external and internal stakeholders, and the key risks and opportunities to be managed. Additionally, the audit program manager should be managing processes and related technical and human resources so as to provide effective and efficient results.
Managing Audit Resources – Obviously human resource management is key to the audit process, but how many audit program managers continually have explicit processes for skill development and succession planning? What hardware and software would allow better management of individual audits and the audit program, whether it be for conducting virtual audits, trend analysis of the level of risks related to nonconformities (see “Trending Risk Ranked Audit Nonconformities”), or analytics for helping to proactively identify areas where risks are increasing? And what skills should be developed by auditors in order to utilize these tools, as well as how to audit based on a risk perspective or audit digital and/or AR/AI applications? One key question is whether being an auditor in the organization adds value to the individual’s experience portfolio and career success.
Monitoring the Audit Program – Program monitoring can be done at multiple levels, including performance of individual auditors, how well audit results compare to management system performance as measured by organizational-level KPIs, and the efficient use of audit resources. Feedback from auditees, process owners and senior leadership can also inform the audit program manager as to whether or not the program is perceived as value adding, or simply a resource sink. Using the principles of auditing included in ISO 19011 and a Likert scale for measurement would be a good potential means of self-assessment.
A good perspective to help ensure effective management of an audit program is to think of it as a separate, independent business. If this were the case there would a need for an explicit strategy to help meet customer requirements, as well as a marketing program intended to elicit audit requests from potential customers. This then raises a question that any audit program manager can use to determine whether or not the audit program is deemed valuable: How often do process managers request an audit based on their concerns about risk or the desire to identify opportunities for improvement?
Note that it is not necessary to have a copy of or even reference ISO 19011 in management system documentation, but the information contained can be a useful resource for audit program managers. One significant item missing in the author’s perspective is the lack of the use of analytics for deciding whether or not an audit of a specific process or set of interrelated processes is warranted (see “Analytics for Auditors”), which can significantly contribute to a more efficient audit program. Financial auditors have been using analytics for decades and it is an excellent fit to the concept of risk-based thinking and risk-based auditing. Reviewing the roles and responsibilities of a chief audit executive might also be a useful source of learning for audit program managers.
About the author
Duke Okes has been in private practice for 34 years as a trainer, consultant, writer, and speaker on quality management topics. His book titled “Musings on Internal Quality Audits: Having a Greater Impact” was published by ASQ Quality Press in 2017. He is an ASQ Fellow and holds certifications as a CMQ/OE, CQE, and CQA.