INTERNATIONAL ISO

STANDARD 19011

Redline version
compares Third edition to
Second edition

Guidelines for auditing management

systems
Lignes directrices pour l'audit des systèmes de management
) EW

e-
0a
-7
.ai VI

8 21
teh RE

01 f99
-2 5 f
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d n
a b ta ta
ST

29 c a l s
3 - a i / ul
eh

4 2 h. F
iT

-8 i te
49 s.
4e ar d
d
an
/st
s:/
tp
ht

Reference number
ISO 19011:redline:2018(E)

© ISO 2018
ISO 19011:redline:2018(E)


IMPORTANT — PLEASE NOTE

This is a mark-up copy and uses the following colour coding:

Text example 1 — indicates added text (in green)

Text example 2 — indicates removed text (in red)
— indicates added graphic figure
— indicates removed graphic figure
1.x ... — Heading numbers containg modifications are highlighted in yellow in
the Table of Contents

) EW

e-
0a
-7
.ai VI

8 21
teh RE

01 f99
-2 5 f
s.i P

1 1 t/ 0
rd D

90 i s

DISCLAIMER
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r

This Redline version provides you with a quick and easy way to compare the main changes
c c nd
a
(st AN

30 l og d n
a b ta ta
ST

between this edition of the standard and its previous edition. It doesn’t capture all single
29 c a l s
3 - a i / ul
eh

4 2 h. F

changes such as punctuation but highlights the modifications providing customers with
iT

the most valuable information. Therefore it is important to note that this Redline version is
-8 i te
49 s.

not the official ISO standard and that the users must consult with the clean version of the
4e ar d
d

standard, which is the official standard, for implementation purposes.

an
/st
s:/
tp
ht

COPYRIGHT PROTECTED DOCUMENT

© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

ii  © ISO 2018 – All rights reserved

 ISO 19011:redline:2018(E)


Contents Page

Foreword...........................................................................................................................................................................................................................................v
Introduction............................................................................................................................................................................................................................... vii
1 Scope.................................................................................................................................................................................................................................. 1
2 Normative references....................................................................................................................................................................................... 1
3 Terms and definitions...................................................................................................................................................................................... 1
4 Principles of auditing....................................................................................................................................................................................... 6
5 Managing an audit programme.............................................................................................................................................................. 7
5.1 General............................................................................................................................................................................................................ 7
5.2 Establishing the audit programme objectives........................................................................................................... 11
5.3 Determining and evaluating audit programme risks and opportunities............................................ 11
5.3 5.4 Establishing the audit programme...................................................................................................................................... 12
5.3.1 5.4.1 Roles and responsibilities of the person individual(s) managing the
audit programme........................................................................................................................................................... 12
5.3.2 5.4.2 Competence of the person managing the individual(s) managing audit
programme......................................................................................................................................................................... 13
5.3.3 5.4.3 Establishing the extent of the audit programme.......................................................................... 14
) EW

e-
0a
5.3.4 Identifying and evaluating audit programme risks......................................................................... 14

-7
.ai VI

8 21
5.3.5 Establishing procedures for the audit programme.......................................................................... 15
teh RE

01 f99
5.3.6 5.4.4 Identifying Determining audit programme resources.............................................................. 15
-2 5 f
s.i P

1 1 t/ 0

5.4 5.5 Implementing the audit programme................................................................................................................................. 16

rd D

90 i s
da AR

-1 s/s

5.4.1 5.5.1 General............................................................................................................................................................................... 16

so rd
5 0 t a d:
an D

5.4.2 5.5.2 Defining the objectives, scope and criteria for an individual audit............................... 16
/i a
e2 /s r
c c nd
a
(st AN

30 l og d

5.4.3 5.5.3 Selecting the and determining audit methods................................................................................. 17

n
a b ta ta
ST

29 c a l s

5.4.4 5.5.4 Selecting the audit team members............................................................................................................ 17

3 - a i / ul
eh

4 2 h. F

5.4.5 5.5.5 Assigning responsibility for an individual audit to the audit team leader.............. 18
iT

5.4.6 5.5.6 Managing the audit programme outcome results......................................................................... 19

-8 i te

5.4.7 5.5.7 Managing and maintaining audit programme records............................................................ 20

49 s.
4e ar d

5.5 5.6 Monitoring the audit programme......................................................................................................................................... 20

d

5.6 5.7 Reviewing and improving the audit programme.................................................................................................... 21

an
/st

6 Performing Conducting an audit.........................................................................................................................................................22

s:/
tp

6.1 General......................................................................................................................................................................................................... 22
ht

6.2 Initiating the audit............................................................................................................................................................................. 22

6.2.1 General................................................................................................................................................................................... 22
6.2.2 Establishing initial contact with the auditee........................................................................................ 23
6.2.3 Determining the feasibility of the audit.................................................................................................... 23
6.3 Preparing audit activities............................................................................................................................................................. 24
6.3.1 Performing document review in preparation for the audit review of
documented information........................................................................................................................................ 24
6.3.2 Preparing the audit plan Audit planning................................................................................................... 24
6.3.3 Assigning work to the audit team................................................................................................................... 26
6.3.4 Preparing work documents documented information for audit........................................... 26
6.4 Conducting the audit activities............................................................................................................................................... 26
6.4.1 General................................................................................................................................................................................... 26
6.4.2 Assigning roles and responsibilities of guides and observers................................................ 26
6.4.2 6.4.3 Conducting the opening meeting............................................................................................................... 27
6.4.3 Performing document review while conducting the audit........................................................ 28
6.4.4 Communicating during the audit.................................................................................................................... 28
6.4.5 Audit information availability and access................................................................................................ 29
6.4.5 6.4.6 Assigning roles and responsibilities of guides and observers Reviewing
documented information while conducting audit............................................................................ 29
6.4.6 6.4.7 Collecting and verifying information....................................................................................................... 30
6.4.7 6.4.8 Generating audit findings.................................................................................................................................. 31

© ISO 2018 – All rights reserved  iii

ISO 19011:redline:2018(E)


6.4.8 6.4.9 Preparing Determining audit conclusions........................................................................................... 32

6.4.9 6.4.10 Conducting the closing meeting............................................................................................................... 33
6.5 Preparing and distributing the audit report............................................................................................................... 34
6.5.1 Preparing the audit report.................................................................................................................................... 34
6.5.2 Distributing the audit report.............................................................................................................................. 35
6.6 Completing the audit....................................................................................................................................................................... 35
6.7 Conducting audit follow-up....................................................................................................................................................... 35
7 Competence and evaluation of auditors.....................................................................................................................................35
7.1 General......................................................................................................................................................................................................... 35
7.2 Determining auditor competence to fulfil the needs of the audit programme ............................. 36
7.2.1 General................................................................................................................................................................................... 36
7.2.2 Personal behaviour...................................................................................................................................................... 37
7.2.3 Knowledge and skills................................................................................................................................................. 37
7.2.4 Achieving auditor competence.......................................................................................................................... 41
7.2.5 Audit team leaders Achieving audit team leader competence................................................ 41
7.3 Establishing the auditor evaluation criteria................................................................................................................ 41
7.4 Selecting the appropriate auditor evaluation method....................................................................................... 41
7.5 Conducting auditor evaluation................................................................................................................................................ 42
7.6 Maintaining and improving auditor competence................................................................................................... 42
Annex A (informative) Guidance and illustrative examples of discipline-specific knowledge
) EW

e-
and skills of auditors......................................................................................................................................................................................43

0a
-7
.ai VI

Annex B A (informative) Additional guidance for auditors for planning and conducting audits........49
8 21
teh RE

01 f99
-2 5 f
Bibliography.............................................................................................................................................................................................................................. 61
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d n
a b ta ta
ST

29 c a l s
3 - a i / ul
eh

4 2 h. F
iT

-8 i te
49 s.
4e ar d
d
an
/st
s:/
tp
ht

iv  © ISO 2018 – All rights reserved

 ISO 19011:redline:2018(E)


Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different
approval criteria needed for the different types of ISO documents should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www​
.iso​.org/directives).
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote. ) EW

e-
Attention is drawn to the possibility that some of the elements of this document may be the subject of

0a
-7
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
.ai VI

8 21
teh RE

any patent rights identified during the development of the document will be in the Introduction and/or
01 f99
-2 5 f
on the ISO list of patent declarations received (see www​.iso​.org/patents).
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s

Any trade name used in this document is information given for the convenience of users and does not
so rd
5 0 t a d:
an D

/i a
e2 /s r

constitute an endorsement.
c c nd
a
(st AN

30 l og d n
a b ta ta
ST

29 c a l s

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
3 - a i / ul
eh

4 2 h. F

expressions related to conformity assessment, as well as information about ISO's adherence to the
iT

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
-8 i te

URL: www​.iso​.org/iso/foreword​.html.
49 s.
4e ar d

ISO 19011This document was prepared by TechnicalProject Committee ISO/TC 176PC 302, Quality
d
an

management and quality assuranceGuidelines for auditing management systems, Subcommittee SC 3,

/st
s:/

Supporting technologies.
tp
ht

This secondthird edition cancels and replaces the firstsecond edition (ISO 19011:20022011), which has
been technically revised.
The main differences compared with the firstto the second edition are as follows:
— the scope has been broadened from the auditing of quality and environmental management systems
to the auditing of any management systemsaddition of the risk-based approach to the principles of
auditing;
— the relationship between ISO 19011 and ISO/IEC 17021 has been clarified;
— remote audit methods and the concept of risk have been introduced;
— confidentiality has been added as a new principle of auditing;
— Clauses 5expansion of the guidance on managing an audit programme, 6 and 7 have been
reorganizedincluding audit programme risk;
— expansion of the guidance on conducting an audit, particularly the section on audit planning;
— expansion of the generic competence requirements for auditors;
— adjustment of terminology to reflect the process and not the object (“thing”);

© ISO 2018 – All rights reserved  v

ISO 19011:redline:2018(E)


— additional information has been included in a new Annex B, resulting in the removal of help
boxesremoval of the annex containing competence requirements for auditing specific management
system disciplines (due to the large number of individual management system standards, it would
not be practical to include competence requirements for all disciplines);
— the competence determination and evaluation process has been strengthened;
— illustrative examples of discipline-specific knowledge and skills have been included in a
newexpansion of Annex A to provide guidance on auditing (new) concepts such as organization
context, leadership and commitment, virtual audits, compliance and supply chain.
— additional guidelines are available at the following website: www​.iso​.org/19011auditing.

) EW

e-
0a
-7
.ai VI

8 21
teh RE

01 f99
-2 5 f
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d n
a b ta ta
ST

29 c a l s
3 - a i / ul
eh

4 2 h. F
iT

-8 i te
49 s.
4e ar d
d
an
/st
s:/
tp
ht

vi  © ISO 2018 – All rights reserved

 ISO 19011:redline:2018(E)


Introduction
Since the firstsecond edition of this International Standarddocument was published in 20022011, a
number of new management system standards have been published, many of which have a common
structure, identical core requirements and common terms and core definitions. As a result, there is now
a need to consider a broader scope ofapproach to management system auditing, as well as providing
guidance that is more generic. Audit results can provide input to the analysis aspect of business
planning, and can contribute to the identification of improvement needs and activities.
In 2006, the ISO committee for conformity assessment (CASCO) developed ISO/IEC 17021, which sets
out requirements for third party certification of management systems and which was based in part on
the guidelines contained in the first edition of this International Standard.An audit can be conducted
against a range of audit criteria, separately or in combination, including but not limited to:
— requirements defined in one or more management system standards;
— policies and requirements specified by relevant interested parties;
— statutory and regulatory requirements;
— one or more management system processes defined by the organization or other parties;
) EW

e-
— management system plan(s) relating to the provision of specific outputs of a management system

0a
-7
.ai VI

(e.g. quality plan, project plan).

8 21
teh RE

01 f99
-2 5 f
s.i P

This document provides guidance for all sizes and types of organizations and audits of varying scopes
1 1 t/ 0
rd D

90 i s

and scales, including those conducted by large audit teams, typically of larger organizations, and
da AR

-1 s/s
so rd

those by single auditors, whether in large or small organizations. This guidance should be adapted as
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

appropriate to the scope, complexity and scale of the audit programme.

30 l og d n
a b ta ta
ST

29 c a l s

The second edition of ISO/IEC 17021, published in 2011, was extended to transform the guidance
3 - a i / ul
eh

4 2 h. F

offered in this International Standard into requirements for management system certification audits. It
iT

is in this context that this second edition of this International Standard provides guidance for all users,
-8 i te

including small and medium-sized organizations, and concentrates on what are commonly termed
49 s.
4e ar d

“internal audits”This document concentrates on internal audits (first party) and “audits conducted by
d
an

customers on their suppliers”organizations on their external providers and other external interested
/st

parties (second party). While those involved inThis document can also be useful for external audits
s:/
tp

conducted for purposes other than third party management system certification. ISO/IEC 17021-1
ht

audits follow the requirements ofprovides requirements for auditing management systems for third
party certification; this document can provide useful additional ISO/IEC 17021:2011, they might also
find the guidanceguidance (see Table 1in this International Standard useful).
The relationship between this second edition of this International Standard and ISO/IEC 17021:2011 is
shown in Table 1.

Table 1 — Scope of this International Standard and its relationship with Different types of
ISO/IEC 17021:2011 audits
Internal auditing External auditing
Supplier auditing Third party auditing
1st party audit 2nd party audit 3rd party audit
Internal audit External provider audit Certification and/or accreditation
audit
Sometimes called first party audit Sometimes called second Other For legal Statutory, regulatory and
external interested party audit similar purposes For certification
(see also the requirements in ISO/
IEC 17021:2011) audit

© ISO 2018 – All rights reserved  vii

ISO 19011:redline:2018(E)


This International Standard does not state requirements, but provides guidance on the management of
an audit programme, on the planning and conducting of an audit of the management system, as well as
on the competence and evaluation of an auditor and an audit team.
Organizations can operate more than one formal management system. To simplify the readability of
this International Standarddocument, the singular form of “management system” is preferred, but the
reader can adapt the implementation of the guidance to their own particular situation. This also applies
to the use of “personindividual” and “personsindividuals”, “auditor” and “auditors”.
This International Standarddocument is intended to apply to a broad range of potential users, including
auditors, organizations implementing management systems and organizations needing to conduct
audits of management systemsmanagement system audits for contractual or regulatory reasons. Users
of this International Standarddocument can, however, apply this guidance in developing their own
audit-related requirements.
The guidance in this International Standarddocument can also be used for the purpose of self-
declaration and can be useful to organizations involved in auditor training or personnel certification.
The guidance in this International Standarddocument is intended to be flexible. As indicated at various
points in the text, the use of this guidance can differ depending on the size and level of maturity of an
organization’s management system and on the. The nature and complexity of the organization to be
audited, as well as on the objectives and scope of the audits to be conducted, should also be considered.
) EW

e-
0a
This International Standard introduces the concept of risk to management systems auditing. The

-7
.ai VI

8 21
approach adopted relates both to the risk of the audit process not achieving its objectives and to the
teh RE

01 f99
-2 5 f
potential of the audit to interfere with the auditee’s activities and processes. It does not provide specific
s.i P

1 1 t/ 0
rd D

guidance on the organization’s risk management process, but recognizes that organizations can focus
90 i s
da AR

-1 s/s

audit effort on matters of significance to the management system.

so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d

This International Standarddocument adopts the combined audit approach that when two or more
n
a b ta ta
ST

29 c a l s

management systems of different disciplines are audited together, this is termed a “combined audit”.
3 - a i / ul
eh

4 2 h. F

Where these systems are integrated into a single management system, the principles and processes of
iT

auditing are the same as for a combined audit (sometimes known as an integrated audit).
-8 i te
49 s.

Clause 3 sets out the key terms and definitions used in this International Standard. All efforts have
4e ar d

been taken to ensure that these definitions do not conflict with definitions used in other standards.
d
an
/st
s:/

Clause 4 describes the principles on which auditing is based. These principles help the user to
tp
ht

understand the essential nature of auditing and they are important in understanding the guidance set
out in Clauses 5 to 7.
Clause 5This document provides guidance on establishing and managingthe management of an audit
programme, establishing the audit programme objectives, and coordinating auditing activitieson the
planning and conducting of management system audits, as well as on the competence and evaluation of
an auditor and an audit team.
Clause 6 provides guidance on planning and conducting an audit of a management system.
Clause 7 provides guidance relating to the competence and evaluation of management system auditors
and audit teams.
Annex A illustrates the application of the guidance in Clause 7 to different disciplines.
Annex B provides additional guidance for auditors on planning and conducting audits.

viii  © ISO 2018 – All rights reserved

INTERNATIONAL STANDARD ISO 19011:redline:2018(E)

Guidelines for auditing management systems

1 Scope
This International Standarddocument provides guidance on auditing management systems, including
the principles of auditing, managing an audit programme and conducting management system audits, as
well as guidance on the evaluation of competence of individuals involved in the audit process, including
the person. These activities include the individual(s) managing the audit programme, auditors and
audit teams.
It is applicable to all organizations that need to plan and conduct internal or external audits of
management systems or manage an audit programme.
The application of this International Standarddocument to other types of audits is possible, provided
that special consideration is given to the specific competence needed.

2 Normative references
) EW

e-
0a
-7
.ai VI

No normative references are cited. This clause is included in order to retain clause numbering identical
8 21
teh RE

with other ISO management system standardsThere are no normative references in this document. 01 f99
-2 5 f
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s

3 Terms and definitions

so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d n

For the purposes of this document, the following terms and definitions apply.
a b ta ta
ST

29 c a l s
3 - a i / ul
eh

4 2 h. F

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
iT

— ISO Online browsing platform: available at https:​//www​.iso​.org/obp

-8 i te
49 s.
4e ar d

— IEC Electropedia: available at http:​//www​.electropedia​.org/

d
an
/st

3.1
s:/
tp

audit
ht

systematic, independent and documented process for obtaining audit objective evidence (3.3 3.8) and
evaluating it objectively to determine the extent to which the audit criteria (3.2 3.7) are fulfilled
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by the organization itself ,
or on its behalf, for management review and other internal purposes (e.g. to confirm the effectiveness of the
management system or to obtain information for the improvement of the management system). Internal audits
can form the basis for an organization’s self-declaration of conformity. In many cases, particularly in small
organizations, independence can be demonstrated by the freedom from responsibility for the activity being
audited or freedom from bias and conflict of interest. behalf of, the organization itself.

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits
are conducted by parties having an interest in the organization, such as customers, or by other persons individuals
on their behalf. Third party audits are conducted by independent auditing organizations, such as regulators
or those providing certification/registration of conformity or governmental agencies.

Note 3 to entry: When two or more management systems of different disciplines (e.g. quality, environmental,
occupational health and safety) are audited together, this is termed a combined audit.

Note 4 to entry: When two or more auditing organizations cooperate to audit a single auditee (3.7), this is termed
a joint audit.

Note 5 to entry: Adapted from ISO 9000:2005, definition 3.9.1.

© ISO 2018 – All rights reserved  1

ISO 19011:redline:2018(E)


[SOURCE: ISO 9000:2015, 3.13.1, modified — Note 1 to entry has been added, Note 4 to entry has been
modified]
3.2
combined audit
audit (3.1) carried out together at a single auditee (3.13) on two or more management systems (3.18)
Note 1 to entry: When two or more discipline-specific management systems are integrated into a single
management system this is known as an integrated management system.

[SOURCE: ISO 9000:2015, 3.13.2, modified]

3.3
joint audit
audit (3.1) carried out at a single auditee (3.13) by two or more auditing organizations
[SOURCE: ISO 9000:2015, 3.13.3]
3.4
audit programme
arrangements for a set of one or more audits (3.1) planned for a specific time frame and directed
towards a specific purpose
) EW

e-
[SOURCE: ISO 9000:2015, 3.13.4, modified — wording has been added to the definition]

0a
-7
.ai VI

8 21
3.5
teh RE

01 f99
-2 5 f
audit scope
s.i P

1 1 t/ 0
rd D

extent and boundaries of an audit (3.1)

90 i s
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r

Note 1 to entry: The audit scope generally includes a description of the physical and virtual-locations, functions,
c c nd
a
(st AN

30 l og d n

organizational units, activities and processes, as well as the time period covered.
a b ta ta
ST

29 c a l s
3 - a i / ul
eh

Note 2 to entry: A virtual location is where an organization performs work or provides a service using an on-line
4 2 h. F
iT

environment allowing individuals irrespective of physical locations to execute processes.

-8 i te

[SOURCE: ISO 9000:2015, 3.13.5, modified — Note 1 to entry has been modified, Note 2 to entry has
49 s.
4e ar d

been added]
d
an
/st

3.6
s:/
tp

audit plan
ht

description of the activities and arrangements for an audit (3.1)

[SOURCE: ISO 9000:2015, 3.13.6]
3.2 3.7
audit criteria
set of policies, procedures or requirements requirements (3.23) used as a reference against which
audit objective evidence (3.3 3.8) is compared
Note 1 to entry: Adapted from ISO 9000:2005, definition 3.9.3.

Note 21 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the terms
“compliant words “compliance” or “non-compliant compliance” are often used in an audit finding (3.4 3.10).

Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements,
contractual obligations, etc.

[SOURCE: ISO 9000:2015, 3.13.7, modified — the definition has been changed and Notes to entry 1 and
2 have been added]

2  © ISO 2018 – All rights reserved

 ISO 19011:redline:2018(E)


3.3 3.8
audit objective evidence
records, statements of fact or other information which are relevant to the data supporting the existence
or audit criteria (3.2) and verifiable verity of something
Note 1 to entry: Audit Objective evidence can be qualitative or quantitative obtained through observation,
measurement, test or by other means.

Note 2 to entry: Objective evidence for the purpose of the audit (3.1) generally consists of records, statements of
fact, or other information which are relevant to the audit criteria (3.7) and verifiable.

[SOURCE: ISO 9000:2005, definition 3.9.4 2015, 3.8.3]

3.9
audit evidence
records, statements of fact or other information, which are relevant to the audit criteria (3.7) and
verifiable
[SOURCE: ISO 9000:2015, 3.13.8]
3.4 3.10
audit findings
results of the evaluation of the collected audit evidence (3.3 3.9) against audit criteria (3.2 3.7)
) EW

e-
0a
-7
.ai VI

Note 1 to entry: Audit findings indicate conformity (3.20) or nonconformity (3.21).

8 21
teh RE

01 f99
-2 5 f
Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording
s.i P

1 1 t/ 0
rd D

good practices.
90 i s
da AR

-1 s/s
so rd
5 0 t a d:
an D

Note 3 to entry: If In English if the audit criteria are selected from legal or other statutory requirements or
/i a
e2 /s r
c c nd
a
(st AN

30 l og d

regulatory requirements, the audit finding is termed compliance or non-compliance.

n
a b ta ta
ST

29 c a l s
3 - a i / ul

Note 4 to entry: Adapted from ISO 9000:2005, definition 3.9.5.

eh

4 2 h. F
iT

[SOURCE: ISO 9000:2015, 3.13.9, modified — Notes to entry 2 and 3 have been modified]
-8 i te
49 s.
4e ar d

3.5 3.11
d

audit conclusion
an
/st

outcome of an audit (3.1), after consideration of the audit objectives and all audit findings (3.4 3.10)
s:/
tp
ht

Note 1 to entry: Adapted from ISO 9000:2005, definition 3.9.6.

[SOURCE: ISO 9000:2015, 3.13.10]

3.6 3.12
audit client
organization or person requesting an audit (3.1)
Note 1 to entry: In the case of internal audit, the audit client can also be the auditee (3.7 3.13) or the
person individual(s) managing the audit programme. Requests for external audit can come from sources such as
regulators, contracting parties or potential or existing clients.

Note 2 to entry: Adapted from ISO 9000:2005, definition 3.9.7.

[SOURCE: ISO 9000:2015, 3.13.11, modified — Note 1 to entry has been added]
3.7 3.13
auditee
organization as a whole or parts thereof being audited
[SOURCE: ISO 9000:2005, definition 3.9.8 2015, 3.13.12, modified]

© ISO 2018 – All rights reserved  3

ISO 19011:redline:2018(E)


3.8
auditor
person who conducts an audit (3.1)
3.9 3.14
audit team
one or more auditors (3.8)persons conducting an audit (3.1), supported if needed by technical experts
(3.10 3.16)
Note 1 to entry: One auditor (3.15) of the audit team (3.14) is appointed as the audit team leader.

Note 2 to entry: The audit team can include auditors-in-training.

[SOURCE: ISO 9000:2005, definition 3.9.10 2015, 3.13.14]

3.15
auditor
person who conducts an audit (3.1)
[SOURCE: ISO 9000:2015, 3.13.15]
3.10 3.16
technical expert
) EW

e-
<audit> person who provides specific knowledge or expertise to the audit team (3.9 3.14)

0a
-7
.ai VI

8 21
teh RE

01 f99
Note 1 to entry: Specific knowledge or expertise is that which relates to the organization, the process or
-2 5 f
activity activity, process, product, service, discipline to be audited, or language or culture.
s.i P

1 1 t/ 0
rd D

90 i s
da AR

-1 s/s

Note 2 to entry: A technical expert to the audit team (3.14) does not act as an auditor (3.8 3.15) in the audit team .
so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

30 l og d

[SOURCE: ISO 9000:2005, definition 3.9.11 2015, 3.13.16, modified — Notes to entry 1 and 2 have been
n
a b ta ta
ST

modified]
29 c a l s
3 - a i / ul
eh

4 2 h. F

3.11 3.17
iT

observer
-8 i te
49 s.

person individual who accompanies the audit team (3.9 3.14) but does not audit act as an auditor (3.15)
4e ar d
d
an

Note 1 to entry: An observer is not a part of the audit team (3.9) and does not influence or interfere with the
/st

conduct of the audit (3.1).

s:/
tp
ht

Note 2 to entry: An observer can be from the auditee (3.7), a regulator or other interested party who witnesses
the audit (3.1).

[SOURCE: ISO 9000:2015, 3.13.17, modified]

3.12
guide
person appointed by the auditee (3.7) to assist the audit team (3.9)
3.13 3.18
audit programme management system
arrangements for a set of one interrelated or more audits (3.1) planned for a specific time frame and
directed towards a specific purpose interacting elements of an organization to establish policies and
objectives, and processes (3.24) to achieve those objectives
Note 1 to entry: Adapted from ISO 9000:2005, definition 3.9.2. A management system can address a single
discipline or several disciplines, e.g. quality management, financial management or environmental management.

Note 2 to entry: The management system elements establish the organization’s structure, roles and
responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those
objectives.

4  © ISO 2018 – All rights reserved

 ISO 19011:redline:2018(E)


Note 3 to entry: The scope of a management system can include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.

[SOURCE: ISO 9000:2015, 3.5.3, modified — Note 4 to entry has been deleted]
3.14 3.19
audit scope risk
extent and boundaries of an effect of audit (3.1)uncertainty
Note 1 to entry: An effect is a deviation from the expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence and likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009,
3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.

Note 4 to entry: The audit scope generally includes a description of the physical locations, organizational units,
activities and processes, as well as the time period covered Risk is often expressed in terms of a combination of
the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in
ISO Guide 73:2009, 3.6.1.1) of occurrence.

[SOURCE: ISO 9000:2005, definition 3.9.13 2015, 3.7.9, modified — Notes to entry 5 and 6 have been
) EW

e-
0a
deleted]

-7
.ai VI

8 21
teh RE

3.15 3.20 01 f99

-2 5 f
s.i P

audit plan conformity

1 1 t/ 0
rd D

90 i s

description of the activities and arrangements for an fulfilment of a audit (3.1) requirement (3.23)
da AR

-1 s/s
so rd
5 0 t a d:
an D

/i a
e2 /s r
c c nd
a
(st AN

[SOURCE: ISO 9000:2005, definition 3.9.12 2015, 3.6.11, modified — Note 1 to entry has been deleted]
30 l og d n
a b ta ta
ST

29 c a l s

3.16 3.21
3 - a i / ul
eh

4 2 h. F

risk nonconformity
iT

effect of uncertainty on objectives non-fulfilment of a requirement (3.23)

-8 i te
49 s.
4e ar d

Note 1 to entry: Adapted from ISO Guide 73:2009, definition 1.1.

d
an
/st

[SOURCE: ISO 9000:2015, 3.6.9, modified — Note 1 to entry has been deleted]
s:/
tp

3.17 3.22
ht

competence
ability to apply knowledge and skills to achieve intended results
Note 1 to entry: Ability implies the appropriate application of personal behaviour during the audit process.

[SOURCE: ISO 9000:2015, 3.10.4, modified — Notes to entry have been deleted]
3.18 3.23
conformity requirement
fulfilment of a requirement need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

[SOURCE: ISO 9000:2005, definition 3.6.1 2015, 3.6.4, modified — Notes to entry 3, 4, 5 and 6 have been
deleted]

© ISO 2018 – All rights reserved  5