2 - Iso 19011-2018

ISO
19011:2018
guidelines for auditing management systems
WHAT IS ISO 19011:2018?
ISO 19011 is defined as the standard that sets forth guidelines for auditing
management systems. The standard contains guidance on managing an
audit program, the principles of auditing, and the evaluation of individuals
responsible for managing the audit programs. An audit program consists of
the arrangements made to complete all of the individual audits needed to
achieve a specific purpose.
ISO 19011:2018 provides valuable information
on how to improve an audit program
systematically, just as other departments in an
organization are expected to improve. One
aspect of such improvement is continuously
ensuring the audit program objectives are in line
with the management system policies and
objectives. Organizations, in pushing for
auditing improvements, should consider the
needs of customers and other interested parties.
An area of increasing importance in auditing

management systems and business in general is
the concept of risk. As of the 2011 edition, risk
has been integrated throughout the audit program
management section of the ISO 19011:2018
standard.
WHO CAN USE ISO 19011:2018?
If your organization conducts internal or external audits of
management systems, or if you manage an audit program, then ISO
19011 and the ANS version apply to you. Anyone involved in audits or
audit programs can use ISO 19011. More specifically, ISO 19011 is for
people in charge of managing an audit program and evaluating
individuals involved in the audit programs and audits. Anyone who has
been tasked with improving an audit program will likely find ISO 19011
of value.
ISO 19011 STANDARD FACTS
When the United States adopts its version of a standard, it is referred to
as an American National Standard (ANS) and is the equivalent of an
international standard. The ANS version may or may not make changes
to the international (ISO) version of the standard. In the case of ISO
19011, it is considered an identical adoption.
WHAT DOES ISO 19011:2018 ACCOMPLISH?
ISO 19011 offers guidance on every step of auditing a management system or audit program, including:
• Defining program objectives
• Ensuring you understand the specific objectives you hope to achieve
• Making audit arrangements
• Assigning roles and responsibilities
• Defining number, scope, location, and duration of audits
• Determining criteria and specific checklists
• Establishing review procedures
• Completing the audits needed
• Planning and reviewing internal documents
• Collecting and verifying audit evidence
• Generating findings and preparing reports
• Communicating findings
• Reviewing the results and process
• Assessing results and trends
• Conforming with audit program procedures
• Evolving needs and expectations of interested parties
• Analyzing audit program records
• Examining effectiveness of the measures to address risks
• Ensuring confidentiality and information security
WHAT ARE THE DIFFERENCES BETWEEN
ISO 19011:2011 AND 19011:2018?
The main differences between the 2011 and 2018 revisions, as outlined in its foreword, are the
following:
• Addition of the risk-based approach to the principles of auditing
• Expansion of the guidance on managing an audit program, including audit program risk
• Expansion of the guidance on conducting an audit, particularly the section on audit planning
• Expansion of the generic competence requirements for auditors
• Adjustment of terminology to reflect the process and not the object (“thing”)
• Removal of the annex containing competence requirements for auditing specific management
system disciplines (due to the large number of individual management system standards, it
would not be practical to include competence requirements for all disciplines)
• Expansion of Annex A to provide guidance on auditing (new) concepts such as organization
context, leadership and commitment, virtual audits, compliance and supply chain
A full MS audit has four primary goals:
Determine the extent to which the MS has been established.
Determine whether or not the MS has been documented in

Why Audit accordance with applicable requirements also known as audit
criteria (e.g., ISO standard, applicable regulations, contracts).
Determine if the MS has been effectively implemented.
Determine whether or not the MS has been properly

maintained.
Pre-Audit activities
Scheduling an audit
Initial contact is made with the auditee to:

• Confirm the authority to conduct the audit and schedule audit
• Provide information on the audit objectives, scope, methods and
composition of audit team
• Request access to relevant documents and records for planning
purposes
• Determine applicable legal and contractual requirements and other
requirements relevant to the activities and products of the auditee.
Select the audit team.
• The first basic step is to figure out who will lead the audit team. If you work for a
small company, that might be you! This person will be responsible for all phases of
the audit.
• If your company is small, you may comprise the “team.” If your company has more
than, say, 150 employees, insources design, makes high risk-products, etc., it is
possible that you may need 2+ auditors on your team. In selecting the audit team
members, consider which competencies are needed, how long your audit will last, the
scope of the audit, and time constraints. The first rule of auditing is that an auditor
cannot examine an area for which he/she is responsible.
• Regarding competence, consider this example: An auditor who needs to interview
management regarding management processes (e.g., resource processes, results
processes, etc.) should have some minimal business experience. An auditor who
needs to verify process or product measurements may need to have knowledge of
quality and statistical tools. That’s why ISO defines competence in terms of education,
training, skill, experience, and personal attributes.
The audit team leader will assign responsibility for auditing specific
processes, activities or functions to each team member.
Audit team members are obliged to collect and review the information
relevant to their audit activities and prepare work documents, such as
checklists, audit sampling plans and forms for recording information for the
purpose of recording audit evidence. The work documents need to be
retained for the duration of the audit or for as long as specified in the audit
plan.
Once administration details have been finalized, it is then time to look at the
activities required to carry out the audit which is the focus of our next
Slides.
Role of the Lead Auditor
Every audit has a lead auditor – even if it’s the only auditor! This person represents the team in
communication with the auditee and management. The lead auditor also defines the requirements of
each audit assignment, including qualification of other audit team members. Here are some of the lead
auditor’s additional responsibilities:
• Plan the audit.

• Assign audit responsibilities to each audit team member.
• Make effective use of resources during the audit.
• Organize and direct audit team members.
• Provide direction and guidance to auditors in training.
• Lead the audit team to reach conclusions.
• Prevent and resolve conflicts during the audit.
• Prepare and complete the audit report.
Audit Schedule
A well-planned audit schedule will ensure that audits are performed
regularly, are conducted according to the importance of the process and
address the results of previous audits.
Developing a master audit schedule is the first step toward

planning audit activities for the year. Individual audit leaders will
construct the individual audit plans to meet the schedule. An
example of a master internal audit schedule. A similar one could
be developed to plan your supplier audits for the year.
A typical ISO internal audit will generally cover 2-4 areas of the
organization each month throughout the year, depending on the size
of the company.
Gather and review background information
In order to prepare for an audit, the necessary documentation for the management system
needs to be reviewed. The documentation review should include:
• Management system documentation and records
• Checklists
• Audit sampling plans
• Forms for recording information such as records of meetings, audit findings and
supporting evidence
• Previous audit reports
It is important to gather this information on processes and functions in order to gain an

insight into the extent of the system documentation and to detect possible gaps in the
management system as well as to assess the audit objectives and scope.
Audit Plan
• An audit plan should be developed by the audit team leader based on

the information obtained from the audit program and from the
documentation provided by the auditee. This plan should facilitate
the efficient scheduling and coordination of audit activities in order to
achieve the objectives effectively.
The audit plan should include but is not
limited to the following:
• Objectives
• Scope
• Criteria and any reference documents
• Locations, dates and duration of audit activities
• Roles and responsibilities of the audit team members
• Allocations of appropriate resources to critical areas of the audit
• Audit report topics
• Any follow-up actions from a previous audit
• Any follow-up activities from the planned audit
Audit Activities using ISO 19011
• This is the third instalment in the ISO 19011 audit series which looks at activities
required to successfully prepare for an integrated management audit. In this
slide we will look at audit activities and elaborate on the graph below:
Whilst initiating your audit, you should ensure that:

• The audit team leaders are appointed for each individual audit
• Each team leader initiates the management system audit they are responsible
for the activities following:
Conducting an opening meeting
This meeting is required for the following purposes:
• Introduction of the audit team

• Confirming agreement of all parties to the audit plan
• Ensure that all planned activities can be performed, e.g. interviews
with personnel, physical inspection of the site and review of
documentation
This meeting should be formal and records of attendance should be
kept. This meeting should also be chaired by the audit team leader.
Review of Documentation
A review of documentation is necessary to:
• Determine the conformity of the system with the audit criteria

• Gather information to support the audit activities
Collecting and Verifying Information:
Methods for collecting this information include:
• Interviews
• Observations
• Review of documents, including records
Generating audit findings
Audit evidence should be evaluated against the audit criteria in order to
determine audit findings. These findings can indicate conformity or
non-conformity with the audit criteria.
Preparing Conclusions
The following activities should be carried out when preparing audit conclusions:
• Review audit findings against audit objectives
• Agree on audit activities
• Prepare recommendations
• Discuss audit follow-up
Closing Meeting
A closing meeting is required to present the audit findings and
conclusions. The audit team leader should explain the following to the
auditee:
• Advise that the audit evidence collected was based on a sample of
information collected.
• The method of reporting
• The process of handling audit findings and possible consequences
• Presentation of audit findings and conclusions in a manner that is
understood and acknowledged by the auditee management
• Any related post-audit activities
Once the findings have been evaluated, a report outlining findings and
any post-audit activities can be drafted.
You only need to conduct audit activities which comply with your
management system.

2 - Iso 19011-2018

Uploaded by

Copyright:

Available Formats

2 - Iso 19011-2018

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2 - Iso 19011-2018

Uploaded by

Copyright:

Available Formats

ISO

An area of increasing importance in auditing

Determine the extent to which the MS has been established.

Determine whether or not the MS has been documented in

Determine if the MS has been effectively implemented.

Determine whether or not the MS has been properly

Initial contact is made with the auditee to:

• Plan the audit.

Developing a master audit schedule is the first step toward

It is important to gather this information on processes and functions in order to gain an

• An audit plan should be developed by the audit team leader based on

Whilst initiating your audit, you should ensure that:

• Introduction of the audit team

• Determine the conformity of the system with the audit criteria

You might also like