New Impulses for the Audit
Revision ISO 19011
The new Standards ISO 9001 and ISO 14001 as well as standardisation of the structure of the management system standards (HLS - high-level structure) have also made it necessary to review ISO 19011 again as to find out to what extent it might need to be revised. In this process, ISO also saw a structural change: In the past, ISO 19001 used to be jointly administered by the Committee for Quality Management and the Committee for Environmental Management. As, however, the Standard should increasingly be usable for all management systems, a specific interdisciplinary committee has been installed.
ISO 19011 is the central guide for auditors operating in all sectors. In 2015, specific rules were established for certification auditors by drawing up the documents of the ISO 17021 Series. In contrast, ISO 19011 remains the central document for all first-party and second-party audits just as much as for third-party audits (e.g. audits conducted by public authorities or supervising bodies). Even ISO 9001 directly references ISO 19011 in Clause 9.2, which deals with internal audits.
The Revision 2018 had not been planned as a radical change. The objective consisted in reflecting the changes mentioned above and thus better supporting the auditors in practice.
The Standard appeared in its English version in July 2018. The development of ISO 19011:2018 had been finished after less than two years. The interdisciplinary committee had only held three conferences, and ISO had established a lean drawing-up process. Nevertheless, some innovative concepts (e.g. “auditee’s location”, risk-based approach) could be incorporated into the Standard in a consensus after discussions that had partially been controversial.
ISO 19011:2018 did not only consider risks and opportunities all the way through by integrating them into all clauses. It has also specially addressed the fact that audit practice had been changed by modern information and communication technologies.
Risks and opportunities have directly been integrated into the processes for drawing up the audit programme and conducting audits. In this respect, the focus is on the audit processes themselves whereas the organisation’s risks and opportunities are modelled in the audit contents. This starts with the principles of auditing, where the “risk-based approach” has been inserted as a new principle of auditing (“audit wherever the biggest effect can be achieved”). The bow stretches from the question for the risk made to accrue to the organisation by an audit itself (e.g. by operational personnel being distracted). This integrative and simple approach makes it easy to apply the deliberations in organisations with any size.
The requirements placed on auditor competence have been changed significantly. On the one hand, the general requirements have been extended a lot. On the other hand, the requirements specific to disciplines (quality, environment, safety, etc.) have been abolished completely. As the tasks are becoming more and more complex, the focus has been shifted from that on the competence of single auditors to the competence that should be found within the team. This new focus, for its part, is relevant for large-scale organisations, where auditors can work in the team. As for one-person companies, the challenge is that of finding the right auditor for the audit criteria. The discipline specific requirements have been abolished. At the same time, the competence for, e.g., environmental protection or occupational health and safety is required to be there within the audit team. On the one hand, this offers more flexibility for defining competence in a more targeted manner. On the other hand, it is, in particular, among small and medium-sized enterprises that it requires an intelligent approach for also providing that competence.
A major innovation is the new way to see the “location” of an audit. Here the location is defined by the place where information is received and not by the physical place where information is saved. Due to this separation, the term “on-site” is also given a different meaning. This implies a paradigmatic change as far as the way to plan and conduct audits is concerned.
Major changes are also included in the Annex, which gives practical hints. The Annex has been enlarged as far as the contents are concerned and by adding some clauses. The topics dealt with in the new clauses include:
- the process approach;
- “professional judgement”;
- auditing of “compliance”;
- auditing of relevant points of the “HLS“, such as context, leadership, risks & opportunities or the life cycle;
- auditing of physical and “virtual” locations
Central clauses: managing the audit programme and conducting audits
The heart of ISO 19011 is formed by Clauses 5 and 6, which are shown in Figure 2. In these clauses, two important concepts are explained. In Clause 5, the audit programme is explained. The audit programme refers to planning of audits over a certain period, mostly for one to no more than three years. The audit programme serves to plan what (which processes, functions, products, etc.) is audited at what moment and by placing what requirements (in the technical language “audit criteria”).
In small organisations, this will be a spreadsheet with but few lines. In large-scale corporations and company groups, however, such an audit planning will have a corresponding complexity in order to ensure that the most important areas are audited. In this respect, the “most important areas” are derived from the objectives and the risks and opportunities: What priorities have we set for ourselves for this year - e.g. based on our strategy? Where do we frequently have failures, nonconformities and complaints? Where are there big changes? Where might innovations be advisable in order to help us to maintain our competitiveness?
The connection between these two processes is the essential connection between the audit programme and a single audit. Here any information necessary for successfully performing an audit will be transmitted. At this point, an “audit order” can be talked about - even though this is not explicitly mentioned in the Standard.
Clause 6 deals with the implementation of single audits in detail. The steps range from the first phone call with the organisation to be audited to the completion of the activities and the distribution of the audit report. This means it is a question of guidance for the single audit, which helps to determine how an audit should be planned, performed and completed. In this respect, it is of central importance to gather information, draw samples, evaluate and assess information and, last but not least, elaborate audit findings and consequently establish audit conclusions.
Even the clauses that do not directly deal with the processes of drawing up an audit programme and conducting an audit have seen further developments. In this respect, interesting aspects include the following:
- adapting the definitions to the ISO Standards as far as possible (quotes from ISO 9000:2008);
- the fact that the texts of the Standard focus on the process rather than on the output (product);
- strengthening the “tool character” of the Standard - each organisation will only use the tools that are useful for the organisation; only in very rare cases will all tools be used