STANDARDS AND AUDITING

New Standard
Guides Internal
And Supplier Audits
by Gary L. Johnson

E
xperts from the United States have developed ronmental Management Systems Auditing,1 replaced six
a supplement to enhance the International previous ISO standards and provides guidance on
Organization for Standardization’s (ISO) qual- establishing an audit program for organizations, im-
ity and environmental management system auditing plementing audits of management systems and deter-
standard. mining and evaluating the competence of auditors.
ISO 19011:2002, Guidelines on Quality and/or Envi- The standard was intended to apply to the full
range of auditing situations but emphasized external
third-party audits and did not appear effective in
In 50 Words addressing internal and supplier audit applications.
Or Less But throughout its development, the U.S. experts
expressed concerns the full scope of the standard was
• U.S. experts have developed a supplement to ISO not adequately addressed.
The development of ANSI/ISO/ASQ QE 19011S-
19011:2002 to address internal and supplier audit 2004,2 the U.S. supplement to ISO 19011, was the result
programs and the standard’s use by small and of the standard’s perceived insufficient guidance in
areas pertaining to internal and supplier audit pro-
mid-sized organizations. grams and the use of the standard by small to mid-
sized organizations.
• The supplement does not supplant ISO 19011.
ISO 19011:2002
• Together, the standard and supplement guide auditor ISO 19011:2002 is intended to provide guidelines
selection and provide for their continuing evaluation. for auditing ISO 9001 based quality management
systems (QMSs) and ISO 14001 based environmental

QUALITY PROGRESS I MARCH 2006 I 25

STANDARDS AND AUDITING

management systems (EMSs) but also be suffi- 14050 on environmental management vocabulary
ciently general that it can be applied to any QMS were deemed sufficient.
or EMS and other management systems such as
health and safety. It replaced the following ISO Clause Three—Terms and Definitions
auditing standards: While the supplement does not add new defini-
• ISO 10011-1, -2 and -3, Guidelines for Auditing tions or changes to those in clause three, it does
Quality Systems. note the term “competence” is used in the context
• ISO 14010, Guidelines for Environmental of auditor competence.
Auditing—General Principles.
• ISO 14011, Guidelines for Environmental Clause Four—Principles of Auditing
Auditing—Audit Procedures—Auditing of ISO 19011 provides a brief summary of some
Environmental Management Systems. important auditing principles in clause four. These
• ISO 14012, Guidelines for Environmental principles are to be used to drive an organization’s
Auditing—Qualification Criteria for establishment and implementation of the audit
Environmental Auditors. process. Key principles cited for auditor behavior are:
ISO 19011 is a guideline standard, which means • Ethical conduct—the foundation of profes-
its use is not mandatory unless it is invoked as part sionalism.
of a multiple-party agreement, such as a contract or • Fair presentation— the obligation to report
other legal document. As a guideline standard, its truthfully and accurately.
implementation is generally not auditable because • Due professional care—the application of dili-
the elements of the standard are not requirements, gence and judgment in auditing.
and there may be other ways of accomplishing the Two other principles relate to the audit process
same objectives. Of course, when the standard is primarily:
invoked as a requirement, such as by a certifica- • Independence—the basis for impartiality and
tion or registration body, its guidance becomes objectivity of the audit conclusions.
specifications for conformity assessment. • Evidence based approach—the rational method
ISO 19011 approaches auditing as a process, and for reaching reliable and reproducible audit
the core guidance lies in clauses five, six and seven. conclusions in a systematic audit process.
The supplement’s format presents the ISO 19011 The supplement adds text to stress the impor-
text in a box and follows the box with the supple- tance of audit and auditor independence by noting,
mental guidance in three subclauses, one each for “Auditors should not audit their own work.” The
internal (first-party) audits, supplier (second-party) value of the audit principles to supplier audits and
audits and use by small organizations. For those small organizations is also discussed.
clauses in which the ISO text is sufficient, the sup-
plement notes no additional guidance is needed. Clause Five—Managing
An Audit Program
Clause One—Scope Clause five provides guidance for organizations
ISO 19011 focuses on the applicability of the stan- in establishing and maintaining an ongoing audit
dard to QMSs and EMSs and notes it can also be program. Such audit programs could include certi-
applied to other types of management systems. The fication audits but could also include internal and
supplement expands the concept of small organiza- supplier audits. Most clauses in this section of the
tions to include consideration of the complexity of standard have supplemental guidance to distin-
the management system; that is, the supplement guish among the different types of audit programs.
could apply to large organizations if they have sim- The supplement adds text to emphasize the differ-
ple management systems, products and processes. ences between internal and external audits.
ISO 19011 uses the plan-do-check-act cycle to
Clause Two—Normative References describe management of the audit program. Some
The supplement does not add guidance to this of the key actions addressed are:
clause. ISO 19011 references to ISO 9000 and ISO • Establishing the authority for the audit program.

26 I MARCH 2006 I www.asq.org

 • Establishing the audit program itself, including needed follow-up activity.
the objectives and extent, responsibilities, Initiating an audit requires consideration of sev-
resources and procedures. eral factors and actions:
• Ensuring the implementation of the audit pro- • Appointing an appropriate audit team leader.
gram. • Having defined audit objectives, scope and
• Monitoring and reviewing the audit program criteria.
to improve its efficiency and effectiveness. • Determining the audit is feasible.
Because the standard can be applied to internal • Selecting a satisfactory audit team.
and external auditing, setting the objectives and • Establishing the initial contact with the auditee.
extent of the audit program is a critical early step in The supplement provides extensive guidance to
defining the program for a particular organization cover internal and supplier audits, including the
or application. Any audit program implementers or audit team review of any available documents per-
managers should have appropriate authorities and
resources.
An audit program may also address the possibil-
ity of combined and joint audits. A combined audit
occurs when a QMS and EMS are audited at the A combined audit occurs
same time by the same team. A joint audit occurs
when two teams cooperate to audit an organiza- when a QMS and EMS are
tion during the same period, with one auditing the
QMS and the other the EMS. Such audits are more audited at the same time by
typically found in external audits, but combined
internal QMS and EMS audits are possible. the same team.
ISO 19011 notes any audit program should be
monitored and reviewed to ensure its ongoing
effectiveness in meeting the organization’s needs.
Adjustments to the audit program should be made taining to the audit and preparation for the audit’s
when needed to foster improvements. on-site phase:
The supplement adds text to further emphasize • Creating a plan to document how the audit
the managerial differences between external and will be conducted.
internal audits and suggests audit program review • Assigning specific work or responsibilities to
should also consider the performance of the audit audit team members.
program in meeting the organization’s needs and • Developing work documents, such as check-
the contribution of the program to the management lists and sampling plans.
system’s improvement. The on-site activities of all types of audits are
similar and include:
Clause Six—Audit Activities • Conducting an opening meeting with the
The supplement adds important guidance for auditee.
audit team leaders for internal and supplier audits • Communicating with the auditee and others
not covered by ISO 19011. In general, ISO 19011 during the audit.
describes general steps in planning and conducting • Defining the roles and responsibilities of any
an audit: needed guides.
• Initiating the audit. • Collecting and verifying information.
• Conducting document review. • Generating audit findings.
• Preparing for and conducting on-site audit • Preparing audit conclusions.
activities. • Conducting the closing meeting.
• Preparing, approving and distributing the The supplement emphasizes differences in how
audit report. internal and external audits are conducted. For
• Completing the audit, which includes any example, an opening meeting may be less formal

QUALITY PROGRESS I MARCH 2006 I 27

STANDARDS AND AUDITING

for an internal audit, and communication during through education, work experience, auditor train-
the audit can be simpler. The supplement notes, ing and audit experience.
however, a formal meeting is always appropriate The standard also describes the general knowl-
in supplier audits. In all cases, a reliance on objec- edge, skills and personal attributes needed for an
tive evidence is needed. auditor and an audit team leader. An auditor should
Reporting on the audit results is a critical step and have knowledge and skills in audit principles, pro-
should accurately reflect what transpired during the cedures and techniques for implementing the audit.
audit, regardless of type. Similarly, the auditor needs to understand the scope
ISO 19011 emphasizes the need to address the of the audit and concepts of management systems to
extent of conformance to the audit criteria, the effec- apply audit principles effectively.
tiveness of the management system implementation An audit team leader needs to have the same
and the ability of the management review process to knowledge and skills plus the appropriate organiza-
ensure the continuing suitability and effectiveness tional and leadership skills to implement the audit
of the management system. consistent with the goals of the audit program. In
This is a significant difference from previous addition, the auditor and audit team leader need
QMS audit practices in which auditors frequently knowledge and skills pertaining to QMSs and EMSs
commented on the suitability and effectiveness of and their appropriate applications. When combined
the management system itself—inappropriate for audits are required, knowledge and skills in both
two reasons: areas are necessary. Typically, the levels of education,
1. Management is responsible for assessing the training and experience will vary according to the
value of the management system. specific goals and objectives of the audit program.
2. The auditors may lack knowledge about the For example, the levels for internal auditors will
organization’s operations critical to assessing very likely differ significantly from those for third-
the value of the management system. party certification auditors. In a practical manner,
Clearly, internal auditors have more flexibility in these levels should be set by the owner of the audit
presenting opportunities for improvement because program or by an appropriate accreditation body.
they are stakeholders in the organization. External The developers of ISO 19011 had an extensive
certification auditors, however, must remain mindful debate about what these levels should be and who
of most codes of ethics, which prohibit consulting. should set them.
Both the standard and the supplement provide The standard includes a table that gives arbitrary
specific guidance for audit completion and follow- numeric levels reportedly based on a survey of certi-
up as needed to confirm all nonconformities have fication auditors in the United Kingdom in the early
been addressed. In most cases, the audit will be 1990s. That the table could be interpreted as a con-
completed when all activities described in the audit sensus recommendation and considered a de facto
plan have been completed, but there may be occa- requirement was the principal concern for the U.S.
sions when follow-up by the same audit team will developers regarding clause seven.
be necessary—for example, in an internal audit. The U.S. experts believed this table is inappro-
priate for this standard and infringes on the
Clause Seven—Competence authorities of international and national certifica-
And Evaluation of Auditors tion bodies. It is certainly inconsistent with the
Clause seven in ISO 19011 represented a signifi- ANSI/ASQ National Accreditation Board (ANAB)
cant change from previous auditor guidance by programs for registrars for ISO 9001 and ISO 14001.
emphasizing auditor competence instead of quali- The U.S. developers also feared some users could
fications. be influenced to apply the table to other audit situ-
The standard describes a consistent process for ations, including internal and supplier audits.
initially selecting and continually evaluating the In contrast, while sentiments at the time were
auditor competence. Competence is based on the strong among some countries that the table was
demonstration of personal attributes and the abili- needed to raise the bar of excellence for auditors
ty to apply requisite knowledge and skills obtained professionally, representatives of developing

28 I MARCH 2006 I www.asq.org

countries expressed concern the levels were too its existence became known to other countries cur-
burdensome for them. rently using ISO 19011. Several expressed support for
For clause seven, the U.S. supplement provides its completion based on their need for more guidance
an alternative approach to determining and evaluat- on internal audits and use by small organizations and
ing the competence of auditors based on the scope businesses.
of the audit program. Practical considerations show The nature of auditing continues to evolve as
the competence needed for certification and regis- audit program managers and auditors are con-
tration auditors would logically be greater than that fronted with a constantly changing management
for internal auditors. systems landscape. New applications for manage-
These and other differences between internal ment systems, including occupational health and
and external audit programs form the basis of the
supplement’s approach to competence, and the
supplement provides extensive guidance to the
user in this regard.
The ISO standard and the supplement together The nature of auditing
provide a process to guide the initial selection of
auditors commensurate with the needs of the audit continues to evolve as audit
program and provide for their continuing evalua-
tion. Because some audit programs may be long- program managers and
term, and auditors may be used over an extended
period, the supplement describes a four-step process auditors are confronted with
for the ongoing evaluation of auditor competence.
These steps are to:
a constantly changing
• Identify the personal attributes and the types
and extent of knowledge and skills to meet the
management systems
needs of the audit program.
• Set the evaluation criteria, reflecting the
landscape.
nature of the audit program.
• Select an appropriate evaluation method.
• Conduct the evaluation.
Clause seven also provides guidance on the main- safety and corporate social responsibility, are con-
tenance of auditor competence, typically achieved tinuing to emerge. With this comes the challenge of
through continuing professional development such being able to effectively audit them for conformity.
as additional training, participation in conferences The ANSI Z1 accredited standards committee is
and seminars and additional auditing experience. currently considering expanding QE 19011S to
include criteria for auditors conducting audits of
Practical Use occupational health and safety management sys-
It is important to re-emphasize the value of ISO tems (OHSMS).
19011 as an auditing standard, even though its pri- There is now an American national standard on
mary application seems to be for third-party and OHSMS called ANSI Z10:2005, and the British
certification or registration audits in particular. Standards Institute has recorded more than 11,000
Furthermore, the standard is being modified by certifications worldwide to its OHSAS 18001 docu-
the International Accreditation Forum in a manner ment, which applied the framework of ISO 14001
similar to the U.S. supplement for use as criteria for to OHSMS.
audit programs and auditor competence by organi- These events would seem to support the need
zations in determining conformance to accredita- for auditor criteria in support of audits to these
tion and certification standards and guidelines. documents, and QE 19011S is the logical vehicle to
As the development of QE 19011S, the U.S. supple- accomplish this goal. It is expected the additions to
ment, as an American national standard progressed, QE 19011S will come primarily in clause seven on

QUALITY PROGRESS I MARCH 2006 I 29

STANDARDS AND AUDITING

competence and evaluation of auditors. ACKNOWLEDGMENT

Because a mandatory review of ISO 19011:2002 is The author acknowledges the contributions to ANSI/ISO/ASQ QE
expected to start by the end of this year, a revised 19011S-2004 by John Stratton and Bart Solomon as fellow U.S. experts to
QE 19011S will be positioned to provide key input the ISO 19011 joint working group on auditing and by the members of
to the ISO revision process. the ANSI Z1 joint task group that developed the supplement. The sup-
port of the development of the supplement by the U.S. technical adviso-
ry group (TAG) to ISO/technical
committee (TC) 176 and the U.S. TAG to
ISO/TC 207 is also greatly appreciated.

REFERENCES

1. ISO 19011:2002, Guidelines on Quality

and/or Environmental Management Systems
Auditing, International Organization for
Standardization, October 2002.
2. American National Standards Institute
Accredited Standards Committee Z1, ANSI/
ISO/ASQ QE 19011S-2004, Guidelines on
Quality and/or Environmental Management
Systems Auditing—U.S. Version With Supple-
mental Guidance Added, ASQ Quality Press,
August 2004.

Gary L. Johnson is an environmental engi-

neer with the quality staff in the U.S.
Environmental Protection Agency (EPA),
Office of Environmental Information,
which has oversight responsibility for quali-
ty management policies and procedures for
all U.S. EPA environmental programs. He
represented the United States in the devel-
opment of ISO 19011:2002 and co-chaired
the ANSI Z1 committee effort to develop
ANSI/ISO/ASQ QE19011S-2004.
Johnson is a Fellow of ASQ, a member of
the ASQ Board of Directors and chair of its
Division Affairs Council. He has a bache-
lor’s degree in nuclear engineering from
North Carolina State University.

Please
comment
If you would like to comment on
this article, please post your
remarks on the Quality Progress
Discussion Board at www.asq.org,
or e-mail them to [email protected].

30 I MARCH 2006 I www.asq.org