ISO 19011 Report
ISO 19011 Report
ISO 19011 Report
ISO 19011:2018
Understanding the International Standard
Ideagen provides software and expertise to help the world’s
leading brands to improve efficiency, prevent undesirable events
and ensure compliance by managing quality, safety, audit and
every aspect of operational risk.
1. Foreword by Ideagen 3
2. Introduction 4
4. Executive summary 9
8. Conclusion 65
10. Acknowledgements 72
www.quality.org | 1
2 | ISO 19011:2018 | Understanding the International Standard
1. Foreword by Ideagen
The release of ISO19011:2018 highlights the and gives less mature organizations a worthy
emergence of the “business focused auditor.” standard to aspire to. Regardless of maturity, the
Gone are the days of the auditor being a nature of risk is evolving, bringing new challenges.
detached observer, policing processes and The nature of risk is evolving to include digital
procedures. Today’s auditors are relied upon by business, increasing ownership of supply chain risk
their businesses to focus on what is important. and an assurance remit over increasingly focused
Auditors are now leading conversations with management systems.
senior management about areas of risk and
the reasons why the business is not meeting Whilst a rapidly changing risk environment can
its objectives. be extremely daunting, adopting a risk-based
Ideagen has partnered with audit professionals perspective to audit planning and execution
for over twenty years, supplying the technology decreases organization risk by:
required to manage the complexity that an
audit programme demands. The discipline has • Improving the integrity of the organization
matured in that time, along with the management
• Identifying potentially significant risks and issues
systems themselves, but the pace of change has
in a timely manner
accelerated rapidly in the previous few years.
• Holding management to account, and
We have seen audit professionals proactively
adopt a far more strategic audit methodology • Identifying and communicating improvement
where the risk assessment process is the key that would benefit the organization.
driver of the audit plan. Audit departments
are maintaining an up-to-date view of overall
risk levels across the organization, becoming ISO 19011:2018 will go a long way to support
more agile in their approach to target the areas auditors of all maturity levels to adopt a business
of real concern. focus, proving that quality is about performance,
not just conformance.
ISO19011:2018 reflects the best practices that
auditors have shown over the last few years;
www.quality.org | 3
2. Introduction
Following its introduction in October 2002, ISO 19011 quickly established itself as the premier source
of guidance for quality professionals whose roles encompassed management systems audit. Whereas the
2002 edition focussed solely on the audit of quality and environmental management systems, it became
the de facto standard for auditors of all other disciplines. The 2011 edition recognised this, as does the
latest 2018 edition, in providing guidance which is designed to be applicable to any type of management
system audit, irrespective of technical discipline or whether the management system under examination
is based on an ISO standard or otherwise.
For those commissioning management system audits, those tasked with audit programme delivery, those
engaged in planning, conducting and reporting single audits and those who are subject to being audited
this is the generic standard that establishes the framework within which management system audit
activity typically takes place.
Additionally, it outlines common terms and definitions relating to audit and identifies principles which
should govern the overall approach to audit. For those new to management system audit or those
seeking to expand their existing understanding, ISO 19011:2018 also contains specific guidance on a
range of related topics in an enhanced annex to the main standard.
It is important to remember that ISO 19011 is a guidance standard. As such, it does not contain
requirements that organizations must meet, nor is it a standard that organizations can secure third party
certification against. Its focus is instead orientated towards first party audits (internal audits) and second
party audits (audits conducted by organizations on external providers and other external interested
parties). And while requirements for third party management system certification are contained within
the ISO 17021-X series of standards, ISO 19011 is recognised as providing useful third part conformity
assessment, or certification.
For the Chartered Quality Institute (CQI) and International Register of Certificated Auditors (IRCA),
the importance of ISO 19011 is immense. Over 70,000 delegates each year attend IRCA approved
auditor training courses, all of which adopt ISO 19011 as the basis for their course criteria. There are
also 10,000 IRCA certificated auditors registered against sector or standard specific schemes on this
While requirements standards such as ISO 9001, ISO 14001 and ISO 45001 tend to steal the limelight,
ISO 19011 is arguably more important because it underpins them all. This is because effective audit
provides an organization and its stakeholders with critical assurance based on clear evidence that these
systems are delivering their intended outcomes. In the absence of assurance, uncertainty increases,
confidence diminishes, trust is lost.
Audit also provides a means to detect developing issues, to limit damage, for root cause corrective
action and an opportunity to address problems internally before they have a wider impact. But audit
should not be just about ‘policing’ the business. First and second party audits should also be used to
drive ongoing improvement, something which the 2018 edition of ISO 19011 emphasises throughout.
It’s not by accident that all ISO management systems place considerable importance on the role of
internal audit.
It is intended to assist both CQI members and IRCA auditors in aligning their audit activities to meet
the revised and enhanced best practice set out in ISO 19011:2018.
At each stage, the CQI and IRCA put forward comments and suggestions on behalf of its members
in respect of what it believed the standard should contain. The most significant of these interventions
took place at the Draft International Standard (DIS) stage. Using CQI and IRCA standards commenting
system (SCS) software, CQI and IRCA members registered over 120 comments on the proposed
revision. As a result, CQI and IRCA members have had a material input into shaping the contents of
ISO 19011:2018.
www.quality.org | 5
6 | ISO 19011:2018 | Understanding the International Standard
3. Message from Denise Robitaille
A little history
When ISO 19011 was first conceived it was a joint venture between two technical committees
TC 176 and TC207 with responsibility for quality management system standards and environmental
management system standards, respectively. It resided in the portfolio of TC176/SC3
ISO Technical Management Board recognized that the sphere of management system standards had
mushroomed to more than 70 and that more sectors outside of ISO were making use of the guidance.
TMB created a new PC to accommodate the broader scope of users. Why is this important?
In the last few years we’ve seen the introduction of new management system standards dealing with
occupational health and safety, information management and energy management. Also, the most
popular standards underwent major revisions. PC302 was founded to reflect the broader range of users.
It has liaisons with many of the other ISO committees and sector specific organizations. Representatives
from these liaisons engaged with PC302 bringing their valuable input and concerns. This resulted in a
document that reflected myriad users, increasing its relevance and reach around the globe.
What’s changed?
Many organizations either choose or are required to implement and maintain multiple integrated
management system schemes. Technology has changed, and with it the opportunity to conduct remote
(or virtual) audits. Consideration of risk has become endemic. And, ISO 9001 introduced the concepts
of the context of the organization.
Key changes in the 2018 version include the addition of a risk-based approach to the principles of
auditing. There was a need to reflect the enhanced focus on risk in both management standards and in
the marketplace. Additionally, like any other process, auditing itself engenders certain risks.
www.quality.org | 7
There has been an expansion of guidance
on managing an audit program, and
planning and conducting audits. Due to
the burgeoning number of management
system standards, the language has been
revised to be more generic – allowing
for applicability across a broader range.
Annex A (A.10) provides tips on auditing
risks and opportunities while clause
A.8 addresses challenges in auditing
organizational context. Annex A (A.10)
also introduces the concept of applying
risk-based thinking to the audit process.
Annex A (A.16) covers Auditing virtual
activities and locations.
The CQI and IRCA is a global player in the world of management system
audit, with its IRCA brand being widely recognised as representing the ‘gold
standard’ for auditor certification and training. It is committed to ensuring that
the highest standards of auditor competence, professionalism and integrity are
implemented worldwide.
www.quality.org | 9
5. Interpretation and comment
The interpretation and comments contained within this document are those of the CQI and IRCA.
Other organizations may interpret this guidance differently. As such, this document should not be viewed
as a definitive reference source for this International Standard; indeed, only documentation sourced
directly from ISO/PC 302 can fulfil this purpose.
• simplify the language used in each clause of ISO 19011:2018 to make its meaning
easier to understand;
• identify whether the guidance provided in ISO 19011:2018 is new, is an amended version of the
2011 text, or whether it is taken directly from the 2011 edition of the standard
• identify the implications of the 2018 guidance for stakeholders such as audit programme managers,
auditors, audit clients and auditees
Note: The CQI and IRCA is not permitted to reproduce the direct contents of the standard
due to copyright restrictions. Those individuals who need access to the actual content of ISO
19011:2018 should make their own arrangements to source a copy of the standard directly from
an authorised supplier.
Foreword
The foreword to ISO 19011:2018 notes that this is a technical revision to the 2011 edition. This is
important as it signals that the changes it contains are significant. The main differences between the two
editions are then listed. These are replicated in the executive summary.
The foreword recognises that the 2018 edition was prepared by Project Committee (ISO/PC 302) –
Guidelines for auditing management systems. This represents a change in ownership; the 2011 edition
was developed by Technical Committee (ISO/TC 176) - Quality management and quality assurance’.
Finally, it confirms that the publication of ISO 19011:2018 replaces and automatically cancels
ISO 19011:2011.
Introduction
The standard opens by stating that, since the publication of the 2011 edition, a range of new and
revised management systems standards have been published which share a common high-level
structure, identical core requirements, and common terms and definitions based on the ISO Annex SL
www.quality.org | 11
requirements. This approach has presented a need for the new edition to provide audit guidance which
is more generic, as opposed to the previous version which was discipline specific.
The standard recognises the range of criteria against which audits may be conducted. These include
requirements defined in one or more management system standards, policies and requirements
specified by stakeholders, statutory or regulatory requirements, management system processes as
defined by the organization or others, or quality plans/project plans. The standard notes that this list
is not definitive and that a single audit may be conducted against one or several criteria. The guidance
contained in the standard is also applicable to the use of combined audits and the audit of integrated
management systems.
There is a statement that the standard provides guidance which is intended for use by all organizations,
irrespective of their size or type, and for audits of varying scopes and scales ranging from a single auditor
in a small organization to a large audit team in a large organization. The guidance is intended to be
flexible and may be adapted by organizations to suit their own, audit-related programmes.
While ISO 19011:2018 is primarily focussed on internal audits (first party) and audits performed by
organizations on external providers (second party), it also complements ISO/IEC 17021-1 Conformity
assessment — Requirements for bodies providing audit and certification of management systems — Part
1: Requirements which is only applicable to certification (third party) audits. ISO 19011:2018 can also
be used as guidance input for any organization which wishes to develop their own audit process. The
standard can be deployed by organizations which contribute to the audit sector through training and
personnel certification of auditors, such as CQI and IRCA.
ISO 19011:2018 can be used by organizations for self-declaration, i.e. the organization can claim that
it has adopted the guidance contained within the Standard and adheres to its principles, however
organizations are not able to obtain accredited, independent certification to this effect.
1. Scope
The scope of the applicability of this revision has not changed apart from minor changes in terminology.
The purpose of ISO 19011:2018 remains to provide guidance on auditing management systems.
This includes guidance on the principles of auditing, managing an audit programme and conducting
management system audits.
The standard recognises that it is applicable for all organizations that have a requirement to ‘plan
and conduct’ internal or external management system audits (previously just ‘conduct’), and that the
guidance contained can be applied to other types of audit provided that organizations give special
consideration to the specific competence required for such audits.
2. Normative References
ISO 19011:2018 is intended to be used as a standalone document and does not need to be read in
conjunction with any other standard (i.e. it has no normative references). In this respect it replicates
ISO 19011:2011.
Due to the extent and nature of these changes, those involved in audit should familiarise themselves
with the revised terminology. The 2018 edition of the standard points readers to two websites where
terms and definitions used in standardisation can be accessed for free – https://www.iso.org/obp and
http://www.electropedia.org/
4. Principles of Auditing
ISO 19011:2011 identifies six principles of auditing, the ‘pillars’ on which effective audit is built.
These are integrity, fair presentation, due professional care, confidentiality, independence and an
evidence-based approach.
These are essentially unchanged but ISO 19011:2018 now adds a seventh principle –
risk-based approach.
This requires auditors to determine the effect of uncertainty, positive or negative, on the overall
audit process.
Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty
on the management system is greatest, i.e. those which are of most importance to the audit client. This
approach also considers risks and opportunities that could affect the success of the audit programme’s
achieving its objectives. This requires auditors to determine the effect of uncertainty, positive or negative,
on the overall audit process.
Adopting a risk-based approach ensures audits focus on those processes where the effect of uncertainty
on the management system is greatest, i.e. those which are of most importance to the audit client.
This approach also considers risks that could affect the success of the audit programme in achieving
its objectives.
ISO 19011:2018 identifies two reasons for adhering to these principles. First, they are prerequisite
to audit conclusions which are reliable and sufficient. Secondly, adopting them should enable auditors
working independently of each other arrive at similar conclusions in similar circumstances.
The wording of the existing principles remains largely unchanged with one important caveat added to
the principle ‘Independence’ (e). This now advises that internal auditors should be independent from the
function being audited ‘if practicable’. Formerly this was independence ’from the operating managers of
www.quality.org | 13
the function etc.’ This recognises that for small and medium sized enterprises, securing full independence
from management may not always be practically possible and that the best that can be achieved is for
the auditor to be impartial and objective despite any management connection.
There has also been a change to the wording of the principle ‘Integrity’ (a). Auditors and individuals
(previously ‘person(s)’ managing an audit programme should now act ethically, honestly and responsibly
(previously ‘honestly, diligently and responsibly’) and must only undertake audit activities if they are
competent to do so.
ISO 19011:2018 advises that an audit programme should be established to include audits which
address one or more management system standards or other audit requirements. These audits may be
conducted separately or in combination (combined audit). In other words, no audit activity is too small
nor too big to exclude the need for an audit programme.
The extent of the audit program will depend on many factors. These include the size and nature of the
auditee as well the nature, functionality, complexity, types of risks and opportunities and the level of
maturity, of their management system(s).
The design, planning and validation of the audit programme requires careful consideration, particularly
where an organization operates in multiple sites and/or where important functions or processes are
outsourced and managed by an external provider with related consequences for leadership decisions.
When designing audit programmes, it is important to fully address the context of the auditee.
Information will be required on their organizational objectives, external and internal issues, the relevant
interests of their stakeholders and any specific information security and confidentiality requirements
pertaining to them that also need to be brought into the design consideration. The scope and extent of
this consideration of context is new.
The individual(s) managing the audit programme is responsible for ensuring that the integrity of the
programme is maintained and that undue influence is not exerted over any part of the audit process.
Note that the audit programme may be manged by a team, not necessarily an individual.
Audit resources should be directed to those areas of the management system which carry the most
risk to its performance or where its performance differs from what is desired (previously ‘matters of
significance within the management system’).
More emphasis has been placed on monitoring and measuring the implementation of the audit
programme by suggesting it should be done on an on-going basis to ensure the audit programme
objectives are being achieved and to identify both the need for changes to the audit programme and
possible opportunities for improving the programme.
The audit programme process in the context of applying the Plan, Do, Check, Act cycle has been
extensively reworked, as shown in Figure 1, to better reflect the structure of the revised standard.
The list of considerations on which objectives should be based has been extensively revised, primarily
to reflect the Annex SL changes. The standard now suggests that the following should all be considered
when setting programme objectives;
ISO 19011:2018 provides examples of audit programme objectives. These examples have been revised
from those appearing in the 2011 edition, adopting Annex SL terminology.
www.quality.org | 15
16 | ISO 19011:2018 | Understanding the International Standard
5.3 Determining and evaluating audit programme risks
and opportunities
INTERPRETATION:
ISO 19011:2018 refers to ‘determining and evaluating’ audit programme risk’, compared with ‘identifying
and evaluating’ in the 2011 version, i.e. a call for a more considered approach. It explicitly references the
need to determine opportunities as well as risks. The individual(s) managing the programme should now
present to the audit client the risks and opportunities they have determined during the development
of the audit programme along with the programme’s associated resource requirements, presumably to
ensure accuracy.
Note that in the 2011 edition, audit programme risks did not need to be communicated
back to the client.
This sub-clause then sets out examples of audit programme risk. This has been updated and expanded
upon from that which appears in ISO 19011:2011. Examples of audit programme improvement
opportunities are provided also. These are new and include; allowing multiple audits to be conducted at
a single site visit, minimising travel time/distance to the audit location, matching the level of competence
needed for the audit to that of the audit team sent, and aligning audit dates with the availability of the
auditee’s key staff. Such improvements are designed to ensure maximum efficiency and effectiveness of
the audit process.
Note: ISO 19011:2018 uses the term ‘individual(s)’ as opposed to the 2011 edition version which
uses person(s).
When establishing the extent of the audit programme the individual(s) concerned should bear in mind
the programme objectives including any limitations which may need to be considered. The 2011 edition
simply called for the extent of the programme to be established, it did not add any caveats.
• determine any internal or external risks and opportunities that could impact the programme
(previously just ‘the risks’) and should implement actions to address these (previously simply
evaluating them was sufficient) by integrating them into relevant audit activities.
www.quality.org | 17
• ensure audit teams are selected such that they possess the overall competence necessary to carry
out the required auditing activities. The individual(s) managing the audit programme can achieve this
by assigning roles, responsibilities and authorities and by supporting audit team leaders as required.
• establish all relevant processes within the audit programme (previously ‘procedures’) including for the
coordination and scheduling of audits, for establishing audit objectives, scopes and criteria for audits,
for determining audit methods, for selecting audit team members and for evaluating auditors.
• establish internal and external communications processes, dispute resolution and complaint
handling, audit follow-up (if applicable), and audit reporting to the audit client and other relevant
interested parties.
• determine (and now also ‘ensure’) provision of the resources necessary to deliver the
audit programme.
• ensure appropriate documented information (previously ‘records’) are prepared (previously
‘managed’) and maintained, including audit programme records.
• monitor, review and improve the programme.
• communicate the programme to the audit client (previously ‘top management’) and to other relevant
interested parties as may be appropriate.
Finally, the individual(s) managing the programme should seek approval for the programme from the
audit client. In the 2011 edition approval was sought ‘where necessary’ from ‘top management’.
A knowledge of audit principles, processes (previously procedures) and methods is still recommended,
as is knowledge of management system standards, other relevant standards, and relevant reference
and /or guidance documents. Additionally, the individual(s) managing the audit programme should have
knowledge of the auditee’s context and business activities, in addition to their processes, products and
services. They should also have knowledge of any statutory or regulatory requirements (previously
‘legal’) or other requirements relating to the auditee’s business functions.
Newly added is the recognition that individual(s) may need knowledge of risk management, project
and process management, and of information and communications technologies, necessary for them to
perform their audit programme management role.
The 19011:2011 recommendation that the individual(s) managing the audit programme should engage
in continual professional development (CPD) to maintain the knowledge and skills necessary to manage
audit programmes is carried forward into the 2018 edition.
It is again noted that an audit ‘programme’ could consist of a single audit, e.g. an audit of a specific
project or of a specific supply contract.
Additionally, it is noted that the extent of the audit programme can also vary depending on the level
of information provided by the auditee in respect of its context. Where little information is provided,
uncertainly is higher and, as a result, the programme could be more extensive.
The individual(s) managing the programme are also tasked with selecting the audit methods to be used.
There is useful additional guidance on this subject in Annex A (A.1). They should provide the necessary
‘individual(s) and overall resources’ (previously just ‘resources’) to the audit team and should manage
all operational risks, opportunities and issues as they arise during the audit programme’s deployment.
Additional new responsibilities include defining and implementing the necessary operational controls
to allow the audit programme’s delivery to be monitored, and the review of the audit programme to
identify any opportunities for improvement. These issues are covered more fully later in the standard.
5.5.2 Defining the objectives, scope and criteria for a single audit
As previously, the revised standard deals with the requirements for setting up a single audit within the
audit programme. A number of subtle but important changes have been made.
www.quality.org | 19
ISO 19011:2011 advised that each ingle audit should be based on documented audit objectives, scope
and criteria. The recommendation to document is removed from this sub-clause in ISO 19011:2018
which simply calls for the objectives, scope and criteria to be ‘defined’. The 2011 edition explicit
identifies the definition of objectives, scope and criteria as the responsibility of the person managing the
programme. This text has been removed from sub-clause 5.5.2 in the 2018 edition.
The audit objectives now need to consider the context and strategic direction of the auditee, the
effectiveness of the management system in setting and delivering its objectives and its effectiveness in
dealing with risks and opportunities. Further useful guidance on auditing context is given in Annex A (A.8).
ISO 19011:2018 reminds us that the audit scope should be consistent with both the audit programme
and the audit objectives, and that conformity or otherwise should be determined against the audit
criteria. These statements are mostly unchanged from ISO 19011:2011. Audit criteria can now include
information provided by the auditee on context, risks and opportunities faced by the organization.
If the audit objectives, scope or criteria change, the audit programme should be revised. New
for the 2018 edition is the explicit recommendation that the revised programme should then be
recommunicated to relevant interested parties for approval, if this is appropriate.
When two or more management systems of different disciplines are audited together (referred to as a
combined audit) the audit objectives, scope and criteria for each discipline must be mutually consistent.
The 2018 edition recognises that, when conducting combined audits, there may be instances where
the audit scopes for different disciplines are not the same i.e. the audit boundaries for one discipline,
e.g. environment, could encompass the entire organization whilst for another discipline they may be
restricted to a subset of defined processes of the organization e.g. quality. This is new text which does
not appear in ISO 19011:2011.
As was the case for ISO 19011:2011, the 2018 edition states that in instances where two or more
organizations are to conduct a joint audit of the same auditee, the individual(s) responsible for managing
each programme should jointly agree the audit methods to be employed. They should also consider the
implications of joint-working for audit planning and resourcing.
In cases where the auditee operates two or more management systems of different disciplines, ISO
19011:2018 recognises that combined audits may be included in the audit programme.
An audit ‘team’ may consist of just one auditor who should perform all the duties associated with the
audit team leader role.
Both ISO 19011:2011 and ISO 19011:2018 contain text relating to the steps to be taken by the
individual(s) managing the audit programme to assure the overall competence of the team. These steps
include initially identifying the competence needed to achieve an audit’s objectives, followed by the
selection of audit team members who can demonstrate these areas of competence.
The considerations for deciding the size and composition of the audit team for a specific audit that
appear in the 2011 version have been subject to some change. The most important of these is ‘the
need to ensure independence from the activities being audited’ has been replaced in ISO 19011:2018
with ‘ensuring objectivity and impartiality’. Those selecting audit team leaders and members should be
cognisant of potential conflicts of interest.
The standard identifies the need to interact effectively not just with the auditee but also ‘with other
interested parties’. These could include trainee auditors, appointed observers, interpreters and
consultants. Another important addition to the 2018 edition is the recommendation that the type and
complexity of the processes to be audited should also be a consideration during team selection.
The ISO 19011:2011 recommendation that technical experts operate under the direction of an auditor
has been removed from this sub-clause in the 2018 edition. Technical experts with their additional
competence are recognised as a support for the team, and not as team members with auditing
responsibilities. The team leader should direct the use of technical experts.
Both the 2011 and 2018 versions note that auditors in training may be included in the audit team,
however they should operate under the direction of a competent auditor. Both editions also recognise
that the membership of the audit team may need to be changed during an audit should a competence
issue or a conflict of interest come to light. Consultation with all relevant parties should take place prior
to such change.
New for 2018 is an explicit recommendation that the individual(s) managing the audit programme
should consult the audit team leader in respect of audit team composition, where appropriate.
5.5.5 Assigning responsibility for a single audit to the audit team leader
As is the case for the 2011 edition, ISO 19011:2018 recommends that the individual(s) managing the
audit programme assigns responsibility for each single audit contained within the audit programme to an
audit team leader (often described as the Lead Auditor). This should be done sufficiently in advance of
the scheduled audit date to permit effective planning.
The information to be made available to the audit team leader is similar in the 2018 edition to that
which appears in the 2011 edition. This includes information relating to audit objectives, criteria, scope
and methods, composition of the team, contact details for the auditee, the audit location(s), dates and
durations, as well as details of the resources that are being allocated to the audit. This information will
www.quality.org | 21
usually be sourced from the audit programme and should now include any information which the audit
team leader needs to deliver an effective audit while working with the auditee.
Carried over from the 2011 edition is the recommendation to provide the audit team leader with
information relating to risks (and now opportunities) associated with meeting the audit objectives.
The assignment information provided to the audit team leader should also include details relating to
the working and reporting language of the audit and details as to whom the audit reporting output
(previously ‘audit report) is to be provided. It should also include applicable matters relating to
confidentiality, information security, security and authorisations, follow ups from previous audits, and any
pertinent information relating to the coordination of other audit activities such as joint audits.
New for 2018 is the need for communication of information relating to health, safety and environmental
arrangements (previously ‘health and safety requirements’) for auditors as well as any requirements for
travel to or access of remote sites.
The importance of reaching agreement on the respective responsibilities for each organization involved
in a joint audit (where two or more parties audit together) is carried across from the 2011 edition. This
should be achieved before the joint audit is performed. In particular, the authority of the appointed
audit team leader should be agreed with all parties in advance of audit beginning.
ISO 19011:2018 uses the term ‘results’ whereas the 2011 edition refers to ‘outcomes’. This may seem
like semantics but ‘results’ may more accurately describe the outputs from an evaluation process
such as an audit.
Added for 2018 is the recommendation that the individual(s) managing the audit programme should
ensure that an evaluation of the achievement of the objectives for each audit takes place within the
context of the audit programme. They should also ensure the review and approval of audit reports in
respect of the fulfilment of each single audit’s scope and objectives. The distribution of audit reports to
‘top management and other interested parties’ simply becomes ‘to relevant interested parties’.
The 2018 revision deletes the need for a review of root cause analysis and the effectiveness of
corrective and preventive action. This is replaced with a review of the effectiveness of actions taken
to address the audit findings. This change removes any doubt about the auditor’s involvement in
determining the root cause of a nonconformity which is the responsibility of the auditee.
New for 2018 is the suggestion that the individual(s) managing the audit programme should consider
communicating the audit results and any identified best practice to other areas of the organization and
that they should also consider the implications of the audit results for other processes operating within
the organization.
The listing of typical records has been revised. These are still broken down into three categories;
In respect of the audit programme, ‘schedule of audits’ has been added as a new entry and ’documented
audit programme objectives’ becomes simply ‘audit programme objectives’. ‘Records addressing risk’
becomes ‘records addressing risk and opportunities, and relevant external and internal issues’, whilst
‘records reviewing audit programme effectiveness’ remains unchanged.
In respect of records relating to single audits, ‘audit plans’ and ‘audit reports’ are carried across from the
2011 edition as are ‘nonconformity reports’. Records of ‘corrections and corrective action reports’ and
‘audit follow up reports’ are included.
Note that any doubt about the applicability of follow up reports has been removed. New in the
2018 edition is the inclusion of records relating to ‘objective audit evidence and findings’.
In respect of records relating to the audit team at audit programme management level, the 2011
recommendations of records which evidence audit team members’ competence and performance, and
the maintenance and improvement of competence appear once more in the 2018 edition. The 2011
‘selection of audit teams and team members’ has been expanded to ‘criteria for the selection of audit
teams and audit team members and the formation of audit teams’.
As before, ISO 19011:2018 states that audit records should contain sufficient detail to demonstrate that
the objectives of the audit programme have been achieved.
www.quality.org | 23
The individual(s) responsible for managing the audit programme should also evaluate feedback from
audit clients (previously ‘top management’), auditees, auditors, technical experts (new for 2018),
and other relevant interested parties. To this guidance, the 2018 edition adds that audit programme
management should consider whether the documentation applicable to the whole audit process is
suitable for the purpose intended.
As was the case for the 2011 edition, the 2018 edition recognises that certain factors may require
the audit programme to be modified. These may include audit findings, the demonstrated level
of the auditee’s management system’s effectiveness, changes to the auditees management system,
changes to standards to which the organization is committed and changes to external providers
(previously ‘suppliers’).
To this list the 2018 edition adds changes to the demonstrated maturity of the auditee’s management
system, changes to the effectiveness of the audit programme, changes to either an audit’s scope or the
audit programme’s scope, identified conflicts of interest and changes to the audit client’s requirements.
The individual(s) managing the audit programme should still also review the continual professional
development of auditors in accordance with clause 7.6 (previously ‘7.4, 7.5 and 7.6’) of the standard.
Subject to the minor wording revisions outlined above, this list remains the same as for ISO 19011:2011.
The results of the audit programme review should now be reported to relevant interested parties
(previously ‘top management’).
Clause 6.1 advises that Clause 6 provides guidance on preparing and conducting a specific audit
(previously ‘audit activities’) as a part of an overall audit programme. Figure 2 (Typical audit activities)
found in the 2011 edition has been deleted since the process flow of audit activities is illustrated in the
context of the plan-do-check-act cycle in Figure 1. There is reference to a new Figure 2 (overview of a
typical process of collecting and verifying information) which also appeared in 2011 as Figure 3. As in the
2011 edition, there is a reminder that the extent to which Clause 6 is applicable is dependent on the
objectives and scope of each single audit.
ISO 19011:2018 again recognises that the sequence of audit activities found in Figure 1 can be varied
depending on the auditee, their processes and/or the specific circumstances of the audit.
Arrangements with the auditee for conducting the audit remains an audit team leader responsibility.
The list of matters to be discussed during these arrangements is essentially unchanged. The audit team
leader should confirm the communication channels to be used and their authority to conduct the audit.
They should provide relevant information on the audit objectives, scope, criteria, methods and audit
team composition, including details of any technical experts.
The audit team leader should request relevant information to assist with the planning of the audit which
now includes information on the risks and opportunities the organization has identified and how these
are being addressed.
In addition, the audit team leader should determine any applicable statutory and regulatory
requirements (previously ‘legal requirements’) and other requirements relevant to the auditee’s activities,
processes, products and services. They should confirm the date(s) for the audit and the necessary
arrangements for access, health and safety, security and confidentiality at the audit location(s).
The audit team leader should also determine any specific areas of interest, concern or (new for 2018)
risk to the auditee, in relation to the audit. Finally, and also new for 2018, they should resolve any issues,
including potential conflicts of interest, regarding the composition of the audit team with the auditee
and/or the audit client.
If determined that it is not feasible to conduct the programmed audit, an alternative plan should be
proposed to the audit client subject to the agreement of the auditee.
Note that there is no guidance on who should conduct this stage or where it should be
conducted. This review activity is sometimes referred to as part of Stage 1 of an audit. Part of the
purpose of conducting this review is to allow the audit team to become familiar with the auditee’s
management system so that subsequent audit activities can be better planned.
The documented information examined should include (but not be limited to) management system
documents and records and previous audit reports. The review should take into account the auditee’s
context (this is new) and its size, nature and complexity. It should also take into account the auditee’s
related risks and opportunities (also new), the audit scope, criteria (also new) and objectives.
A new note is added in ISO 19011:2018 to advise that guidance on how to verify information is
provided in Annex A (A.5). This replaces the guidance on how to conduct document review contained
in Annex B.5 of the 2011 version.
www.quality.org | 27
6.3.2 Audit planning (previously ‘preparing the audit plan’).
Audit planning (previously ‘the audit plan’) should consider the risks (previously ‘the effect’) the audit
activities pose to the auditee’s processes and should provide the basis for agreement between the audit
client, audit team and auditee in respect of how the audit is to be conducted.
Planning (previously ‘the audit plan’) should help to ensure that audit activities are efficiently scheduled
and coordinated. This will assist in achieving the audit objectives in an effective manner.
The extent of the detail contained with an audit plan should be commensurate with the scope of the
audit and its complexity, as well as the degree of uncertainty of the audit not achieving its objectives.
When planning the audit (previously ‘when preparing the audit plan’) the audit team leader should
consider the composition and overall competence of the audit team, which sampling techniques are
appropriate, any opportunities to improve the effectiveness and efficiency of the audit activities and any
risks to the auditee arising as a result of the audit being conducted. Further useful guidance on sampling
techniques is given in Annex A (A.6).
ISO 19011:2018 notes that risks to the auditee (previously ‘organization’) may occur as a result of the
presence of the audit team. These include the team adversely influencing (previously just ‘influencing’)
the auditees arrangements for health, safety, environment and quality, and its products, services,
personnel or infrastructure.
For combined audits involving different management systems, specific attention should be paid to the
interactions of operational processes and any potential competing objectives and priorities.
This sub-clause highlights that the scale and extent of audit planning (previously ‘the audit plan’) is likely
to differ between internal and external audits and between carrying out an initial audit and carrying out
subsequent audits.
The sub-clause also notes that as an audit progresses there may be a need to deviate from the original
plan. Audit planning (previously ‘the Audit Plan’) should be flexible enough to accommodate the need to
revise planned arrangements.
Audit planning should address or reference; the audit objectives, the audit scope (including the
identification of the organization, its functions and the processes to be audited) and the audit criteria
and any reference documented information (previously ‘documents’) to be used. It should also address
Also carried over from the 2011 edition is the need to address or reference the audit methods to be
used, (which should include the extent to which sampling is required to obtain sufficient audit evidence).
Note that the planned audit methods need to take any previous input from audit programme
management (refer to 5.5.3) into account. The roles and responsibilities of audit team members,
guides, observers and (new for 2018) interpreters, and the allocation of appropriate resources
should be included. The allocation of appropriate resources should be based on consideration of
the risks and opportunities (previously based on the ‘critical areas’ to be audited) ‘related to the
activities that are to be audited’ (new).
Added to this list for 2018 is that audit planning should address the need for the audit team to become
familiar with the auditee’s facilities and processes, for example by undertaking a tour of any physical
locations or by reviewing information and communications technology. Very often the audit team leader
and relevant team members will visit the audit location for audit planning purposes (referred to as a
Stage 1 audit).
As for 2011, audit planning should take into account (as is appropriate) the identification of the auditee’s
representative(s) for the audit, the working and reporting language of the audit where this is different
from the language of the auditor or auditee or both, the audit report topics, and any specific logistical
and communications arrangements related to the audit location(s).
Audit planning should also take into account any specific actions necessary to address risks to
(previously ‘the effect of uncertainty on’) achieving the audit objectives, matters relating to confidentiality
and information security, follow up actions from previous audits ‘or other sources e.g. lessons learned,
project reviews’ (new for 2018) and follow up activities to the planned audit and any necessary
coordination with other audit activities, for example in the case of a joint audit.
The result of audit planning should be the production of an audit plan which should be made available
to the auditee. Any need to resolve any issues with the audit plan should involve the audit programme
management if necessary (new for 2018).
When deciding to whom to assign specific work, the 2018 edition identifies the need for the audit
team leader to take into account the ‘impartiality, objectivity and competence’ of auditors (previously
‘independence and competence’). The audit team leader should also seek to make the best use of their
available resources regarding the roles of auditors, auditors in training and any technical experts.
www.quality.org | 29
Audit team meetings (previously ‘briefings’) should be held by the audit team leader in order to allocate
work and to determine whether any changes in responsibilities or existing work allocations are required.
Ideally, the audit team should meet prior to the audit to ensure that team members are comfortable
with their allocated tasks. As in the 2011 edition, changes to responsibilities and work allocations may be
made during the audit to facilitate achievement of the audit objectives.
Relevant information, including that provided by the auditee, should be acquired and reviewed by audit
team members prior to conducting the audit. This should be used to prepare work documents to be
used for the audit such as physical or digital checklists (previously ‘checklists’), audit sampling details and
audio-visual information (previously ‘forms’). Further guidance on preparing audit work documents is
given in Annex A (A.13).
The ISO 19011:2011 text highlighting that checklists should not restrict the extent of audit activities is
carried over into the 2018 edition, as is the reminder that documentation information prepared for and
resulting from the audit (previously ‘work documents, including records resulting from their use’) should
be retained until the time that the audit is completed or the duration specified in the audit programme
(previously ‘audit plan’). The 2011 edition recommendation that audit team members safeguard
documented information (previously ‘documents’) containing confidential or proprietary information is
retained in ISO 19011:2018.
Guides and observers may accompany the audit team. New for the 2018 edition is that this should be
with approvals from the audit team leader, audit client and/or auditee if required, bearing in mind that
this should be raised at the initial contact (refer to 6.2.2).
Guides and observers should not influence the conduct of the audit. If this cannot be guaranteed the
audit team leader should be allowed to exclude them from certain audit activities.
Guides, appointed by the auditee, should assist the audit team under the direction of the audit team
leader or (new for 2018) the auditor to whom they have been assigned. The guide’s duties have not
changed and will typically include; identifying individual(s)s for interview, confirming timings and locations,
arranging access to specific locations, communicating location specific rules to the audit team and
addressing any associated risks, witnessing the audit on behalf of the auditee and providing clarification/
collecting information as needed without interfering with or influencing the audit.
Both the auditee’s management and any individuals whose functions and/or processes are to be audited
should be present at the opening meeting, if appropriate, and they should be given an opportunity to
ask questions.
The context of the opening meeting should be commensurate with its setting. It may be a formal affair,
chaired by the audit team leader, with a set agenda and records of attendance being retained or it may
simply consist of the audit team leader providing confirmation to management that an audit is being
conducted and explaining the nature of the audit e.g. for an internal audit.
Any other participants including observers, guides and (new for 2018) interpreters, should be
introduced and their roles should be explained.
The audit methods that will be employed in order to manage any risks to the auditee’s organization
arising from undertaking the audit should also be identified.
The opening meeting should also be used to confirm, as appropriate, the audit objectives, scope and
criteria, the audit plan and other relevant arrangements with the auditee (such as the date and time of
the closing meeting and any interim meetings), as well as the formal communication channels that will
be utilised between the audit team and the auditee. Any change needed to the planned arrangements
should be raised by the team leader.
The language to be used during the audit may need to be confirmed at the opening meeting, so too the
availability of resources and facilities needed by the audit team and any matters relating to confidentiality
and information security.
Necessary confirmations should also be sought in respect of relevant access, health and safety, security
and other arrangements for the team and for activities on site which could impact the conduct of the
audit. The audit team leader should additionally agree the arrangements to ensure that the auditee will
be kept advised of the audit’s progress.
www.quality.org | 31
During the opening meeting, the auditee should be advised as to how the audit findings will be reported
and graded (if applicable), under what circumstances the audit may be terminated, and how they should
deal with any possible findings arising from the conducting of the audit. The auditee should also be made
aware of any arrangements for providing feedback on the audit findings or conclusions, including how to
register complaints or appeals.
In any event, the audit team leader should periodically coordinate team meetings in order to share
information, assess progress and reassign work as may be required.
During the conducting of the audit, the audit team leader should communicate the progress of the audit,
any significant findings (added for 2018) and any concerns to both the auditee and the audit client. If the
evidence collected suggests an immediate and significant risk, it should be reported without delay to the
auditee and, as appropriate, the audit client. Agreement should then be reached between the parties as
to what action it would be appropriate to take.
Any concerns identified which fall outside of the scope of the audit should be noted and reported to
the audit team leader, for possible communication to the audit client and auditee.
Also, if the audit evidence indicates that the audit objectives cannot be realised, this should be
communicated by the audit team leader to the audit client and auditee in order that they can determine
necessary action. Examples of such action are revisions to audit planning, the audit objectives and/or
audit scope and the termination of the audit.
Any necessary changes to the audit’s planning which become apparent during the conducting of the
audit should be reviewed and accepted (previously ‘approved’) by both the individual(s) managing the
audit programme and the audit client (previously ‘the auditee’) and then communicated to the auditee.
ISO 19011:2018 highlights that where, when and how to access information is critical to conducting an
audit. These are independent of where the information is created, used or stored.
Note that audit programme management has responsibility for selecting and determining the
audit methods so should be consulted prior to any significant changes.
This sub clause confirms that the auditee’s relevant documented information should be reviewed
during the audit, in order to determine conformity of the auditee’s management system, (so as far the
documentation permits), with the audit criteria, and to amass information to support audit activities.
Annex A (A.5) provides further guidance on the verification of information which may be used as
objective evidence in an audit.
The review of documented information can take place alongside other audit activities and can extend
for the full duration of the audit providing it does not have a detrimental impact on the effective
conducting of the audit e.g. by taking up time which delays the audit progress.
If it proves impossible to acquire adequate documented information within the timeframe set out in the
audit plan, the audit team leader should advise both the individual(s) managing the audit programme
and the auditee. A decision should then be taken as to whether to continue with or to suspend the
audit until such time that the documented information issue is addressed.
Information still needs to be gathered during the audit process which is relevant to the audit objectives,
scope and criteria. This includes information relating to interfaces between functions, activities and
processes. The information should be collected by sampling. Further guidance on sampling techniques is
given in Annex A (A.6).
The 2011 edition called for this information to be verified and stated only information that has been
verified can form audit evidence.
The 2018 edition however has softened this position and calls for verification as ‘far as is practical’. It
advises that only information that can be ‘subject to some degree of verification’ should be accepted
as audit evidence, and in instances where the degree of verifiability is low auditors should use their
professional judgement to determine the degree of reliance that can be placed up it.
www.quality.org | 33
Both the 2011 and 2018 editions call for audit evidence to be recorded. If the audit team becomes
aware of any changed circumstance, risks or opportunities (previously ‘circumstances or risks’) whilst
collecting objective evidence (previously ‘evidence’) they should take these circumstances into account.
The 2011 figure 3 – ‘overview of the process of collecting and verifying data’ becomes figure 2 –
‘overview of a typical process of collecting and verifying information’, however the stages remain the
same. Sampling is used to draw information from its source. This information is subject to verification
after which it becomes audit evidence. The audit evidence is evaluated against the audit criteria which
generate audit findings in the event of any issues or concerns. The findings are reviewed, and audit
conclusions are drawn.
The 2011 methods for collecting information; (interviews, observations, review of documentation) are
carried across to ISO 19011:2018 (with documentation becoming documented information). Further
guidance on techniques associated with obtaining information is given in Annex A (A.14, A.15 and A.17).
Both the 2011 and 2018 editions reiterate that audit evidence should be evaluated against the audit
criteria in order to determine audit findings.
Note that, according to the definition, audit findings can include both conformity or non-
conformity with the audit criteria.
If the audit plan requires it, single audit findings should include recognition of conformity and
good practice (along with their supporting evidence), opportunities for improvement and any
recommendations to the auditee on the implications of the findings. Annex A (A.18) notes that, if
agreed by the audit client, the auditor may guide the auditee on the response to the findings. This is
more common in second party audit situations during client audits on suppliers.
Nonconformities and their supporting evidence should always be recorded. These ‘can be graded’ if
desired, to which the 2018 edition adds ‘depending on the context of the organization and its risks’. The
2018 edition also states that this grading can be either quantitative (the nonconformity is a level 1, 2, 3
etc.) or qualitative (the nonconformity is major, minor etc.). There is no universally agreed method for
grading of nonconformities although audit clients and auditing organizations often develop their own
standard practices.
Nonconformities should be reviewed with the auditee in order to confirm that the audit evidence is
accurate and to ensure that the auditee understands the nonconformity. If there is disagreement about
the audit evidence or the audit findings, every effort should be made to resolve this. If resolution is
impossible, the unresolved issue should be recorded for reporting to the audit programme management
and, if appropriate, to the audit client.
The purpose of this meeting is to review the audit findings, (as well as any other information collected
during the conducting of the audit), against the audit objectives.
The audit team should then agree audit conclusions, taking into account the uncertainty inherent in the
audit process. Recommendations, e.g. a decision on awarding certification, should also be prepared if a
requirement for such is specified in the audit plan.
Note that the audit team leader should make the final decision on the audit conclusions to be
presented to the auditee as the individual responsible to audit programme management.
Additionally, the audit team should discuss any required audit follow-up to be advised to the auditee and
recommended to audit programme management.
There are significant differences between the text appearing in the 2011 edition and that which appears
in the 2018 edition.
ISO 19011:2018 notes that the audit team’s conclusions may contain content relating to the extent of
conformity with the audit criteria and the robustness of the management system, including how effective
it is in meeting its intended outcomes (previously ‘stated objectives’) and (new for 2018) the audit
team’s evaluation of the risk-based approach taken by the auditee’s management system.
The team’s conclusions may also contain content relating to the effectiveness of the implementation,
maintenance and improvement of the management system, references to the achievement of the audit’s
www.quality.org | 35
objectives, coverage of the audit scope and/or the extent to which the audit criteria have been fulfilled.
The conclusions may also include details of similar findings made in different areas during the audit or
that were audited at an earlier time in order to identify trends.
The 2011 references to audit conclusions addressing the root causes of findings and the capability
of the management review process to ensure the continuing suitability, adequacy, effectiveness and
improvement of the system have been deleted. This recognises that determination of root cause is the
responsibility of the auditee as a component of any corrective action taken.
The purpose of the closing meeting is unchanged in the 2018 edition. It is still convened in order to
present the audit findings and conclusions. In the 2011 edition the closing meeting is ‘facilitated’ by the
audit team leader however in the 2018 edition the audit team leader now ‘chairs’ the meeting. Where
ISO 19011:2011 called for the participation of those responsible for the functions or processes which
were audited ‘where appropriate’ the 2018 edition drops the ‘where appropriate’, inferring that the
management of the auditee should be present at the closing meeting. ISO 19011:2018 suggests the
closing meeting includes these individuals, as well as the audit client, other members of the audit team
and relevant interested parties, as identified by the audit client and/or auditee (previously just the ‘audit
client and other parties’).
The audit team leader should still advise the auditee of any situations encountered during the
conducting of the audit which may affect the confidence that can be placed in the audit’s conclusions.
Also, participants at the meeting are still expected to agree on the timings for an action plan to address
the audit’s findings, if this is defined in the management system or has been agreed with the audit client.
The 2011 edition identified that the degree of detail provided at the closing meeting should be
dependent of how familiar the auditee is with the audit process. This is carried forward into the 2018
edition which additionally identifies that the degree of detail provided should also take into account the
effectiveness of the management system in achieving the auditee’s objectives, including consideration of
its context, risks and opportunities.
During the closing meeting the auditee should be advised that the audit evidence was based on a
sample and (new for 2018) that this sample may not be fully representative of the overall effectiveness
of the auditee’s processes. The auditee should also be made aware of how the audit will be
reported, how the audit findings should be addressed based on the agreed process, and the possible
consequences to the auditee if they fail to address the findings.
The audit findings and conclusions should still be presented in a manner which ensures that they
are understood and acknowledged by the auditee’s management. The closing meeting should also
reference any post audit activities that may be considered, including the implementation and (new
for 2018) ‘review’ of corrective actions, the addressing of audit complaints and the operation of the
appeals process.
As for the 2011 edition, if the audit team and the auditee have divergent opinions on the audit findings
or conclusions, these should be discussed and ideally resolved.
Note that it is not necessary for the audit team leader to wait until the closing meeting before
communicating significant audit findings and concerns to the auditee (refer to 6.4.4). The closing
meeting is essentially a presentation meeting and the audit team leader should try to pre-empt
any contention at the meeting through this earlier communication. If resolution is not possible
then this should be recorded for reporting to audit programme management and, if required,
the audit client.
Opportunities for improvement may also be presented at the closing meeting, if specified in the audit
objectives. If opportunities for improvement are presented it should be emphasised that these are not
binding on the auditee and will not affect the determination of the audit objectives. In this respect there
is no difference between the 2018 edition and the 2011 edition.
www.quality.org | 37
6.5 Preparing and distributing audit report
6.5.1 Preparing the audit report
This report is sometimes known as the “audit summary report” and may be different from a separate
findings report issued by audit team members. In any event, the audit report should cover the full extent
of the audit process undertaken by the audit team.
As is the case for the 2011 edition, ISO 19011:2018 identifies that it is the audit team leader’s
responsibility to report the results of the audit in accordance with the audit programme.
Audit reports should still provide a complete, accurate, concise and clear record of the audit. They
should still include or refer to the audit objectives, the audit scope and in particular the identification
of the organization (i.e. the auditee) and any functions or processes that were audited, including all the
audit participants. Additionally, they should record the dates and locations of the audit, the audit criteria
which were applied and the audit findings and their related evidence. A statement should also be
included which identifies the degree to which the audit criteria have been fulfilled.
Other contents for the audit report, shared with the 2011 edition, are references to or the inclusion
of the audit plan including the time schedule, a summary of the audit process and any obstacles
encountered during the audit that may impact the audit conclusions, confirmation of the achievement
of the audit objectives (within scope and in accordance with the audit programme), a summary
of the audit conclusions and the main findings that support them, and recognition of any good
practice identified.
As for ISO 19011:2011, any agreed follow up should also be included or referenced in the audit
report as should a statement regarding the report’s confidentiality and any implications for the audit
programme or subsequent audits arising from conducting of the audit.
Newly added for the 2018 edition is the recommended inclusion of wording to reflect that audits
are a sampling exercise and consequently there is a risk that the evidence examined may not be
representative. The 2018 version also includes the addition of comment on any part of the audit
scope which may not have been not covered, possibly due to lack of access to evidence, resources or
confidentiality restrictions.
Dropped for the 2018 edition is the suggested inclusion of a distribution list for the audit report
(although the report still needs to be distributed as per 6.5.2) as well as the note to the sub-clause
which identifies that the audit report can be developed before the closing meeting.
As in ISO 19011:2011, the audit report should be dated and reviewed but whereas 2011 calls for it
to be ‘approved in accordance with audit programme procedures’, 2018 calls for it to be ‘accepted, as
appropriate, in accordance with the audit programme’.
Any documented information (previously ‘documents’) connected with the audit should be retained or
disposed of previously ‘destroyed’) by agreement between the participating parties, and in accordance
with the audit programme (previously ‘audit programme procedures’) and any applicable requirements.
Neither the individual(s) managing the audit programme nor members of the audit team should
disclose information (previously ‘the contents of documents and other information’) obtained during the
audit to any third party unless explicit permission to do so is obtained from the audit client, or unless
there is a requirement to disclose the information by law. ‘Information’ includes the audit report. Where
the contents of an audit document are to be disclosed for whatever reason, the audit client should be
informed as soon as is practically possible.
ISO 19011:2018 treats lessons learned from audits differently to the 2011 edition. Under 2011, lessons
learned from conducting the audit should be ‘entered into the continual improvement process of the auditee’s
management system’. In 2018, there is just an acknowledgement that both the auditee and audit programme
management should identify how the audit can contribute to risks and opportunities for both parties.
Note the 2011 reference to preventive action has been dropped in the 2018 edition.
Correction, corrective actions and opportunities for improvement are normally decided and undertaken
by the auditee within an agreed timeframe. The status of the actions should be advised by the auditee to
the individual(s) managing the audit programme, as appropriate.
The completion and effectiveness of these actions should be verified. This is known as audit follow-up and
may involve another audit process being undertaken or the verification activity added to a subsequent audit.
Note that the any decision on audit follow-up should be taken by programme management
albeit taking into consideration any references to post-audit activities made at the closing meeting
(refer to 6.4.10)
www.quality.org | 39
40 | ISO 19011:2018 | Understanding the International Standard
7. Competence and Evaluation Of Auditors
7.1 General
The recognition continues that confidence in the audit programme depends to a significant degree
on the competence of those individuals involved in the audit process. The 2011 edition called for
this competence to be evaluated, (note the 2018 edition calls for regular evaluation) by means of
examining an auditor’s behaviours and their knowledge and skills gained through audit experience, work
experience, training and education.
The sub-clause recognises that some of the knowledge and skills an auditor should possess are generic
whilst others are discipline or sector specific. There is a reminder that not all auditors in an audit team
need to have the same levels of knowledge or skills as long as collectively the necessary competence to
achieve the audit’s objectives exists within the team as a whole.
It is suggested that the evaluation of auditor competence is planned, implemented and documented
in order to generate an outcome which is objective, consistent, fair and reliable. Four key steps are
identified; determine the required competence necessary to complete the audit programme, establish
the evaluation criteria based on the programme needs, select the evaluation method(s) and carry out
the evaluation.
The outcome of the evaluation process will provide a basis for audit team member selection and will
also identify any competence gaps (competence required vs competence possessed) that need to be
addressed. The outcome will also assist with the ongoing evaluation of auditors.
To underline the importance of this competence issue, there is a reference to a process for evaluating
auditors and audit team leaders in sub-clauses 7.3, 7.4 and 7.5. There is also recognition that auditors
and audit team leaders should be evaluated against the criteria set out in sub-clauses 7.1, 7.2.2 and
7.2.3. The competence required of the individual(s) managing the audit programme is referenced in
sub-clause 5.4.2.
ISO 19011:2011 suggested that in deciding the appropriate knowledge and skills required of an auditor
in order to complete an audit, several considerations are necessary. These include the size, nature and
complexity of the organization to be audited, the management system disciplines to be audited and the
www.quality.org | 41
objectives and extent of the audit programme. The 2018 edition replaces ‘knowledge and skills’ with
‘competence’, and adds the products, services and processes of auditees to the main considerations.
Other considerations for determining auditor competence in the 2011 edition include; any other
requirements such as those imposed by external bodies, (in ISO 19011:2018 this becomes ‘imposed by
the audit client or other interested parties’), the role of the audit process in the management system of
the auditee (this has been deleted from the 2018 edition), the complexity of the management system
being audited (‘complexity and processes’ in the 2018 edition) and the uncertainty in achieving audit
objectives (no change).
Newly added for 2018 is another consideration relating to the competence of an auditor as regards the
risk-based approach found in the management system. This implies that the auditor may require a more
thorough knowledge of the auditee’s business sector than was previously necessary.
Also, the 2018 revision refers to ‘desired professional behaviours’ (previously ‘professional behaviours’).
This implies that not all attributes may be demonstrated fully by all auditors.
Otherwise, the list of behaviours remains the same. Auditors are expected to be ethical, open-minded,
diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant, to act with fortitude, open to
improvement, culturally sensitive, collaborative.
7.2.3.1 General
As in the 2011 version, all auditors should possess the necessary knowledge and skills to enable them to
achieve the intended results of the audits they are required to perform. This comprises of both generic
competence and a level of (previously ‘some’) discipline and sector specific knowledge and skills.
Audit team leaders should additionally possess the necessary knowledge and skills to enable them to
provide leadership to an audit team.
The list of what an auditor should be able to do in respect of audit principles, processes and methods
has been supplemented in the 2018 revision by the ability to comprehend the risks and opportunities
involved in auditing as well as the principles of the risk-based approach. There is also the ability to
conduct audits of a complete process where the interactions with other processes and functions of a
process need to be considered. This is often referred to as ‘process auditing’.
The following are retained in the 2018 edition; to plan and organize work effectively, to perform the
audit within the agree time schedule and to prioritise on matters of significance. Also retained are; to
communicate effectively both orally and in writing, to collect information through interviews, listening,
observing and reviewing documented information (previously ‘documents’), to understand and consider
the views of technical experts, to verify the relevance and accuracy of information that has been
collected and to confirm whether the information collected is sufficient and appropriate enough to
support the audit findings and audit conclusions.
The final three entries carried over from the 2011 edition are; to assess factors which may affect the
reliability of the audit findings and conclusions, to document audit activities and findings and prepare
reports, and to maintain the confidentiality and security of audit information.
The 2011 edition entries ‘use work documents to record audit activities’ and ‘apply audit principles and
methods’ have been deleted from the ISO 19011:2018 list.
The second of the four areas relate to management system standards and other references (previously
‘management system and reference documents’). Both the 2011 and 2018 editions highlight that
knowledge and skills in this area enable the auditor to understand an audit’s scope and apply
audit criteria.
The necessary knowledge and skills should relate to management system standards or other normative
or guidance or supporting documents which are used to establish audit criteria or audit methods
(previously ‘management system standards or other documents used as audit criteria’). The auditor
should also have the knowledge and skills to understand how the auditee has applied the management
system standard(s) to their organization. They should understand the relationships and interactions
between processes (previously ‘components’) of the management system, and the importance
and respective priority of multiple standards or references (previously ‘the hierarchy of reference
documents’). They should also understand the application of standards or reference documents
(previously just ‘reference documents’) to different audit situations.
The third of the four areas relate to the organization and its context (previously ‘organizational context’).
Both the 2011 edition and the 2018 edition advise that knowledge and skills in this area enable the
auditor to understand the auditee’s structure, purpose and management practices. The knowledge and
skills that should be possessed include an understanding of the needs and expectations of relevant
interested parties that impact the management system (this is new for 2018).
www.quality.org | 43
Note that these particular auditor skills should be enhanced by the preparation activities
described in section 5.5.2. They should also cover organizational types, governance, size, structure,
functions and relationships and general business and management concepts, processes and
related terminology (including planning, budgeting and people management). Finally, the need for
knowledge and skills relating to the cultural and social aspects of the auditee is carried across
from ISO 19011:2011 to the 2018 edition.’.
The fourth of the four areas of generic knowledge and skills relates to the auditor’s ability to work
within the auditee’s applicable legal and statutory framework including other requirements which
may be imposed. Auditors should sufficiently understand the statutory and regulatory requirements
(previously ‘laws and regulations’) and their governing agencies, basic legal terminology and contracting
and liability law, in relation to the auditee’s activities, processes (new for 2018) products and services
(also new for 2018).
A new note has been added for 2018 which advises that awareness of statutory and regulatory
requirements does not imply legal expertise. As a result, a management system audit should not be
treated as a legal compliance audit by any of the audit participants. Such an audit requires a different
level of legal knowledge and expertise than that expected of a management systems auditor.
The 2018 edition advises that the discipline and sector specific competence auditors should possess
includes; knowledge of management system requirements and principles and how they are applied,
the fundamentals of the discipline(s) and sector(s) which relate to the management system standards
as applied by the auditee, and competence in the application of discipline and sector specific methods,
techniques, processes and practices which permit the team to assess conformity within the defined
audit scope and to generate appropriate audit findings and conclusions.
Additionally, auditors should possess competence in principles, methods and techniques which are
relevant to the discipline and sector, such that the auditor is able to evaluate risks and opportunities
associated with the audit objectives (previously knowledge of risk management principles, methods and
techniques relevant to the sector such that the auditor can evaluate and control risks associated with
the programme).
The 2011 edition recommendations that the discipline specific knowledge and skills should include
‘legal requirements relevant to the discipline or sector’ and ‘the requirements of interested parties
relevant to the sector’ have been removed, as has ‘sufficient knowledge of the particular sector, the
Also removed for 2018 are discipline specific knowledge and skills relating to risk management,
principles and methods relevant to the discipline and sector and the text suggesting the possession of
knowledge and skills in respect of ‘the application of business and technical discipline specific methods,
techniques, processes and practices’.
The 2018 edition advises that audit team leaders should possess the necessary competence
(previously ‘additional knowledge and skills’) to facilitate (previously ‘manage’) the efficient and effective
conducting of the audit.
This should include the competence required to plan and assign audit tasks to audit team members
based on each team member’s specific competence (previously – ‘competence to balance the strengths
and weaknesses of individual(s) team members’). The audit team leader’s competence should include
an ability to discuss strategic matters with the auditee’s top management in order to determine whether
these matters were considered during the evaluation of the organization’s risks and opportunities
(this is new for 2018). The 2011 edition competence, ‘developing a harmonious working relationship
amongst audit team members’ becomes ‘develop and maintain a collaborative working relationship’ in
the 2018 edition.
The audit team leader should still possess the necessary competence to manage the conducting of
audits. This includes the competence to ensure that their available audit resources are effectively used,
that any uncertainty in respect of achieving the audit objectives is managed, that the health, safety and
security of their team is preserved, that audit team members are appropriately directed in their duties
and that auditors in training receive the direction and guidance that they require. The 2011 edition
text calling for competence to prevent and resolve conflicts is expanded in the 2018 edition to include
problems during the audit, including those within the audit team.
As was the case in the 2011 edition, ISO 19011:2018 also calls for audit team leader competence in
representing the audit team in communications with the individual(s) managing the audit programme,
the audit client and the auditee, in leading the audit team to reach conclusions, and in preparing and
completing the audit report.
www.quality.org | 45
ISO 19011:2011 highlighted that single auditors in an audit team conducting multi-disciplined audits
should have the necessary competence to audit at least one of the management systems. This text has
been removed from the 2018 edition. The 2018 edition does however retain the 2011 text advising that
single auditors on the audit team should understand how the different management systems interact
and the synergies that should be present.
There is a new note which points out that multiple discipline audits can take place both in joint audits
and where an integrated management system involves two or more disciplines.
Other identified methods for achieving competence include work experience in a relevant technical,
managerial of professional position where the exercising of judgement, problem solving, decision making
and effective communication with relevant interested parties were important, as well as education/training
and experience in a specific management system discipline and sector that contributes to the development
of overall competence (previously ‘experience in the sector that the auditor intends to audit in’).
Note that these are the same factors which are applied in the auditor certification schemes
operated by the CQI and IRCA.
Note that the CQI and IRCA auditor certification schemes require evidence of this direction and
guidance for certification as Lead Auditor.
Auditors should be evaluated using two or more methods. The Standard notes that not all the methods
may be applicable and that the different methods differ in their reliability. As a result, a combination of
methods is recommended.
Auditor evaluation methods include, review of records, obtaining feedback, conducting interviews,
observation, testing and the conducting of post-audit reviews.
Information collected about the auditor under evaluation (previously ‘person’) should be compared to the
criteria established in clause 7.2.3 – knowledge and skills. If an auditor under evaluation does not meet the
defined criteria they should undertake additional training, work experience and/or audit experience to
address their competence gap. Once they have completed this their competence should be re-assessed.
This can involve a variety of means including, but not limited to, additional work experience, self-study,
training, attendance at meetings, conferences and seminars.
The individual(s) managing the audit programme should establish suitable methods for continually
evaluating the performance of audit team leaders and auditors.
Continual professional development activities should take into account changes in the needs of the
individual(s) and the organization responsible for conducting the audit. They should also take into
account developments in the practice of auditing including the use of ICT and other new technologies
(new for 2018), relevant standards (including guidance/supporting documents) and other requirements,
and changes in the sector and/or discipline (new for 2018).
www.quality.org | 47
Now Deleted – 19011:2011 - Annex A (Informative) –
Guidance And Illustrative Examples Of Discipline-
Specific Knowledge And Skills Of Auditors
A.1 General
Although there was a general acceptance that the contents of this section added value, the committee
working on the new standard (ISO/PC302) also accepted that from a practical perspective there were
significant challenges associated with keeping annex A up to date on an ongoing basis. These relate to
the ever-increasing number of published management system standards and the fact that there is no
planned role for the ISO/PC302 committee after the publication of ISO 19011:2018;
This means ISO 19011:2011 annex B now becomes ISO 19011:2018’s Annex A.
Responsibility for the effective application of audit methods for any given audit remains either with
the individual(s) managing the audit programme or the audit team leader who is also responsible for
conducting audit activities.
Additional considerations that could be considered when determining the feasibility for remote
audit have been included in ISO 19011:2018. These include the level of risk to achieving the audit
objectives that auditing remotely may present and the requirement to satisfy any applicable regulatory
requirements in respect of on-site versus remote audit. The relationship between the auditor and
auditee continues to be a contributory factor when considering a remote audit.
There should be a balanced use of on-site and remote audit methods in the audit programme in order
to ensure that the audit programme objectives can be achieved.
www.quality.org | 49
The process approach dictates that organizations will achieve more consistent and predictable results,
more efficiently and effectively, when their management system activities are managed as inter-related
processes that collectively function as a single, coherent system. Auditors can use this methodology by
focussing on the auditee’s processes and their interactions when planning and conducting audits.
When conducting combined or integrated system audits, auditors should consider the level of
integration of different management systems and their intended results when evaluating performance.
Information may be provided in a form or from a source other than that which the auditor was
expecting. In such cases the auditor should closely evaluate the integrity of the information.
The 2018 revision re-emphasises the need to pay particular attention to information security and
protection of data both within and outside of the audit scope, especially for legal reasons.
The previous note about document control effectiveness has been deleted.
Audit sampling is required when it is not cost effective or practical to examine all the available
information during an audit. The evaluation can be based on particular specimens selected to
represent the characteristics of the whole batch with confidence that the outcome will be reliable,
depending on the integrity of the information. If the sampling method is not correct, incorrect
conclusions may be drawn.
The stages involved in sampling are; establish the objectives of sampling, determine the extent and
composition of the population to be sampled, select a sampling method, determine a sample size,
conduct the sampling and then finally, compile, evaluate, report and document the results.
Other factors affecting the decision include the degree of change in technology, human factors or
the management system; previously identified significant risks and (new for 2018) opportunities for
improvement as well as the output from the monitoring of management systems.
Auditors should bear in mind that with judgement-based sampling it is not possible to determine
a scientifically defined, statistically based degree of uncertainty between the audit findings and the
audit conclusions. i.e. the level of the reliability of this method is based on intangible factors for which
measurement is often impossible.
The sampling plan should take the audit objectives into account along with knowledge of the target data.
Such sampling can either be attribute based or variable based.
Key elements to be considered are the context (new for 2018), size, nature and complexity of the
organization, the number of competent auditors available, the frequency of audits during the year, the
time allowed for each single audit, and any externally required confidence level (sometimes known
The sample size will depend on the level of sampling risk that can be accepted, and it should be
determined beforehand (i.e. the acceptable confidence level). If the auditor is willing to accept that 5 out
of 100 items sampled will be unrepresentative of the population, then the acceptable confidence level
is 95%. The acceptable confidence level should be recorded, along with a description of the population
that was sampled, the statistical basis and methods used, the number of samples evaluated, and the
results obtained. Note that international and national standards are available for use in the application of
statistical sampling procedures.
The audit team should consider whether the auditee has effective processes in place for identifying the
statutory and regulatory requirements and other requirements it has committed itself to, for managing
its activities, products and services in order to achieve compliance with these requirements, and to
evaluate its compliance status.
The audit team should also consider whether the auditee has an effective process for identifying changes
in compliance requirements and for considering these as part of its management of change.
There should be competent people responsible for managing compliance processes and the auditee
should be maintaining and providing documented information on its compliance status as required for
regulators or other interested parties. Auditors should also expect to see compliance requirements
covered by the internal audit programme.
Any instances of non-compliance should be addressed by the auditee, and compliance performance
should be considered by the auditee’s management review.
Issues to be addressed include determining the needs and expectations of relevant interested parties
and the external and internal issues the organization faces.
Auditors should ensure that suitable processes have been developed by organizations to determine its
context such that the results of this exercise provide a reliable basis for the definition of scope and the
development of the management system. Objective evidence should be sought to confirm that is the
case. This can include identification of the processes or methods used, an evaluation of the suitability and
competence of individuals contributing to the process, an evaluation of the results of the process, an
www.quality.org | 53
examination of the application of the results of the process and confirmation that periodic reviews of
context are taking place, as appropriate.
Auditors should have the necessary sector specific knowledge and understanding of the management
system tools that organizations may employ to determine context, in order that they can then make a
judgement as to the effectiveness of the organization’s determination processes.
Auditors should seek objective evidence to confirm the degree to which top management are fulfilling
their obligations, particularly those regarding the effectiveness of their organization’s management
system(s). This can be achieved by reviewing the results from relevant processes (e.g. creation and
maintenance of policy and objectives, provision of necessary resources, relevant communications from
top management to their organization) and by interviewing staff in order to ascertain the degree of top
management engagement.
Auditors should also interview members of the top management team to ensure that they understand
their own management system(s) responsibilities, any discipline specific issues relevant to their
management system(s), the context their organization operates in and the intended results of their
management system(s).
Auditors should note that it is not only top management that should be assessed under leadership
requirements. Leadership and commitment should be audited at all levels of management, not just
top management.
In this case, the determination and management of the auditee’s risks and opportunities needs to be
audited. The principal objectives for doing so are to give assurance on the credibility of the risk and
opportunity identification processes, to give assurance that the risks and opportunities have been
correctly determined and to review how the organization has subsequently addressed the risks and
opportunities it has determined.
Auditors should take a holistic approach to audit an organization’s determination of risks and
opportunities rather than view them in isolation as this activity has repercussions throughout the system.
Inputs to the determination of risks and opportunities can include an analysis of external and internal
issues, the strategic direction of the organization, relevant interested parties and their relevant
requirements and other potential sources of risk such as environmental aspects.
The guidance states that the assessment of an organization’s treatment of risk and opportunities,
including the level of risk it has chosen to accept and how it is controlling this, will require the
application of professional judgement by the auditor (refer to Annex A.3).
Adopting a life cycle perspective allows the organization to identify those areas where, in consideration
of its scope, it can minimise its impact on the environment whilst adding value to the organization. The
life cycle may include stages such as raw material acquisition, product or service design, production,
transportation and delivery, use, end of life treatment and final disposal.
In such cases an auditor should consider the extent of control and influence that the organization
has over the various stages of its product and/or service life cycle. They should use their professional
judgement to determine how the organization has applied a life cycle perspective in terms of its strategy,
the life of their product(s) and/or service(s), the organization’s influence on the supply chain, the length
of the organization’s supply chain and the technological complexity of the organizations product(s)
and/or service(s).
When an integrated management system is involved, the auditor should be mindful of any overlapping
life cycle considerations e.g. differing environmental, quality and regulatory requirements.
www.quality.org | 55
Audit work documents are used by the audit team to assist with the planning, conducting and reporting
of audits. Questions should be posed by the audit team linking the work documents to audit records,
audit activities, its use by auditors and source data for its compilation.
Audit work documents for combined audits should be developed such that duplication of audit activities
is avoided. This can be achieved by amalgamating similar requirements from different criteria into a single
audit work document and by coordinating the content of related checklists and questionnaires within
the audit team.
Auditors should draw this information from a number of sources including interviews with employees
and other individuals, observations of auditee activities, their work environment and surroundings,
reviews of documented information, and the examination of data summaries, analyses and
performance indicators.
Other potential sources include information gained from auditee sampling plans and measurement
processes, business reports, feedback and surveys, the contents of databases and websites and
information generated from simulations and modelling.
When planning and conducting the audit, the audit team should take action to minimise their
interference in the auditee’s work processes.
At the off-site planning stage, permission should be sought to access those parts of the auditee’s
location necessary in order to conduct the audit. Adequate information should be provided to audit
team members regarding security arrangements, occupational health and safety matters, cultural norms
and (new for 2018) ‘working hours for the visit’. Any requirements for personal protective equipment
should also be clarified with the auditee as should the availability of such equipment. In instance other
than unannounced or ad hoc audits, auditees should be made aware of the audit scope and objectives.
New for 2018 is a paragraph relating to the use of recording equipment for the collection of evidence,
(the 2011 edition referenced ‘taking photographs or use of video’). If the use of such equipment is being
considered, permission should be obtained from the auditee at the planning stage, including a discussion
on any limitations for its use.
Once on site the audit team should avoid any unnecessary disturbance of the auditee’s operational
processes. The size of the audit team and the number of guides and observers may need to be adapted
Audit team members should use the personal protective equipment they are provided with in the
proper manner. The auditee’s emergency procedures should also be communicated e.g. at a health and
safety induction. Should an incident occur on site, the audit team leader and auditee should review the
situation and agree whether the audit should be interrupted, rescheduled or continued.
During the audit, audit team members should seek permission in advance before taking copies of
documentation and should be mindful of any security or confidentiality arrangements that exist.
Additionally, personal information should not be obtained unless required by the audit objectives or
audit criteria.
New guidance is given in relation to virtual audit which is audit activity that is undertaken without the
auditor being physically present at the auditee’s location e.g. both parties are remote from each other
and are communicating through audio and/or visual means.
In this situation, the audit team should ensure it is using agreed remote access protocols. If screen
shots are to be taken, permission should be sought in advance to do so and any confidentiality and
security arrangements should also be respected. If an unforeseen incident, which impacts the audit
process, occurs during the remote access, the audit team leader should review this with the auditee and
agreement should be reached as to whether to interrupt, reschedule or continue the audit. Graphic
information such as floor plans or diagrams of the remote location should be used to provide context
for the auditor, and both the auditor’s and auditee’s privacy should be respected during any audit breaks.
Consideration should be given as to how information and audit evidence (irrespective of the media it
is held on) is disposed of once the need for its use by the audit team has expired e.g. downloaded files,
messages etc.
The same standard audit process used for face-to-face audits should be followed when using technology
to verify objective evidence. The audit team should ensure their technology and its operation, e.g.
software, is appropriate for conducting the audit. This includes ensuring that agreed remote access
protocols are used, ensuring that checks are completed ahead of the audit in order to identify and
address any technical issues and ensuring a contingency plan is in place and has been communicated,
should the technology fail to perform as planned.
Auditors should have the technical skills necessary to utilise the relevant technology for audit purposes
and they should also have experience in conducting virtual meetings.
The risks associated with virtual audit should also be considered. Floor plans / diagrams should be used
for references or for the mapping of electronic information.
www.quality.org | 57
Background noise and interruptions should be minimised, permission sought before taking screenshots
or recordings and privacy should be maintained during audit breaks e.g. pausing video streams
and muting sound.
Interviews are an increasingly important means of accessing information especially when management
systems contain requirements such as to ‘determine’ whether various undocumented activities or
processes are in place. In such instances interviewing several auditees, for corroboration purposes,
provides the auditor with a means to verify whether that determination has taken place.
Interviews should be held with individual(s) from appropriate levels of the organization and from those
functions which are performing activities that fall within the audit scope. They should be conducted
during working hours and, ideally, at the normal workplace of the auditee.
Auditors should attempt to put individuals being interviewed at ease. They should explain the reason
why they are conducting the interview and should confirm that notes are being taken, not to identify
issues, but simply to ensure there is a record of what is being discussed.
The standard recognises auditees may be nervous and suggests a good starting point may be to ask
them to explain the work they do. Auditors should include a mix of open, probing and closed questions
to help establish facts and should avoid the use of leading questions where possible.
Non-verbal communication, e.g. tone of voice, body language, etc., is also important, and auditors
should be aware of this. They should also recognise that in virtual audit situations, the benefit of non-
verbal communication is lost and hence additional emphasis should be placed on adopting good
questioning techniques.
Retained in the list are any follow-up actions from previous audits and their conclusions, the
requirements of the audit client, any findings exceeding normal practice or opportunities for
improvement, the sample size they have taken and the categorisation (if any) of the findings.
In the case of multiple criteria, the auditor can either raise a separate finding for each nonconforming
situation or a single finding which references all nonconforming situations, taking into account the
audit client preferences. If the audit client agrees, the auditor may also provide guidance to the audit
client in respect of how they should respond to the auditor’s findings. This is more common in
second party audits.
www.quality.org | 59
Bibliography
ISO 19011:2011 referenced 23 documents and/or
websites in its bibliography, including many of ISO’s
principal management system standards.
General
ISO 19011 is a guidance standard and, as a result, organizations are not required to make any changes
to their existing audit arrangements as a result of the publication of ISO 19011:2018.
However, the CQI and IRCA recommends that organizations review their existing approach to audit in
light of ISO 19011:2018’s publication.
The purpose of revising ISO 19011 was to set a higher standard for the effectiveness of both internal
(and where applicable) external audit. The voluntary adoption of the revised guidance contained within
ISO 19011:2018 should result in the implementation of more efficient and effective audit processes and
the development of more competent audit personnel.
The individual managing the audit programme must now consider the context of the auditee’s
organization when designing audit programmes. This requires an understanding of their internal and
external issues and the relevant requirements of their stakeholder. They must ensure that the audit
programme is focussed on areas of high risk or where there are recognised performance issues.
The information to be included in the audit programme has increased (see 5.1) and greater emphasis
has been placed on the ongoing monitoring and maintenance of the programme and on the
achievement of the audit programme objectives.
The individual managing the audit programme is expected to use information arising from the
monitoring of the audit programme to drive the programme’s improvement. This is to take place on an
ongoing basis. The individual managing the audit programme is also required to revise the programme is
there are changes to audit objectives, scopes or criteria. They are also expected to notify the audit client
in respect of the risks, opportunities and resource requirements identified during the development of
the audit programme.
In order to undertake these duties, the individual managing the audit programme requires the necessary
competence to deal with any risks and opportunities or internal or external issues to the delivery of
the audit programme. Knowledge of the auditee’s context and business activities plus statutory and
www.quality.org | 61
regulatory requirements relating to the auditee’s business is considered essential as is an awareness of
risk, project and process management.
It is the individual managing the audit programme who selects the audit methods to be used based
on their evaluation of the method’s effectiveness and efficiency. Once they have completed the
identification of methods, they should communicate these to the audit client.
The individual managing the audit programme still appoints the audit team leader, audit team members
and technical experts, ensuring their collective competence to conduct the assessment. In doing so
there is an expectation that they will consult on team composition with the audit team leader.
The scope of communication for the individual managing the audit programme has been extended. They
are now expected to interact not just with the auditee but other relevant interested parties, as required.
Once an audit has been completed the individual managing the audit programme must ensure that the
objectives for each single audit have been met. They should review the performance of entire audit team
and any technical experts and should distributed the audit report to relevant interested parties.
Auditors
It is now accepted that auditors no longer have to be independent of the activity being audited in
order to be able to demonstrate impartiality and objectivity. This is because the demonstration of these
characteristics has more to do with the mind-set of the auditor than it has with their assigned role or
duties. This notwithstanding, there is an expectation that auditors will be independent ‘where practical’ so
if it is possible to structure an audit team in such a way that no auditor audits their own work then the
individual managing the audit team should do so.
Auditors can now expect to receive additional information prior to the audit including information
relating to environmental arrangements as well as any requirements for travel to or access of
remote sites. They should also expect to be advised as to their decision-making authority by the
audit team leader.
When conducting desktop reviews auditors will now need to additionally consider the auditee’s
context, risks and opportunities and the audit criteria that are to be applied. They will then be required
to prepare documented information for audit (previously work documents) e.g. checklists which could
be virtual (e.g. online).
One of the most significant changes brought into ISO 19011:2018 is the guidance that audit evidence
is no longer ‘information that can be verified’ but information that can be ‘subject to a degree of
verification’. Increasingly auditors need to recognise that there will be instances, especially when assessing
elements of Annex SL based standards, where evidence suggests compliance where professional
judgement will need to be used in order to determine the degree of reliance the auditor should place
on audit evidence. Not everything in the world of audit is black or white, there are shades of grey and
auditors must be comfortable dealing with such uncertainty.
Auditors should expect greater monitoring of their performance during audits and more regular
evaluations of their competence between audits. The inclusion of new topics in annex A indicates an
It is now recognised that a competent auditor requires more than the technical knowledge and skill
required to conduct an audit. They require a greater understanding of the auditee’s business sector,
processes, products and services than previously.
Auditors should understand risks and opportunities and risk-based auditing, and should be competent in
audit principles, methods and techniques relevant to the disciplines and sectors they assess.
All auditors are expected to undertake regular continuing professional development (CPD) and it
is no longer sufficient for an auditor to attend an auditor training course – in order to demonstrate
competence, they are expected to satisfactorily complete it.
While still responsible for agreeing audit arrangements with the auditee, the audit team leader must
now act to resolve any issues in respect of the composition of the team (including any potential conflicts
of interest) with the auditee and/or audit client prior to the audit.
New considerations have been introduced in respect of audit planning and the audit team leader should
ensure that there is a focus on the entire audit planning activity as opposed to just the end product,
‘the audit plan’.
The audit team leader now assigns responsibilities to team members for decision making following
consultation with the team. They direct the use of technical experts and approve (where necessary with
the auditee and the auditee client) any guides, observers and/or interpreters.
In the 2011 edition of 19011 the audit team leader facilitated the closing meeting, now they are
expected to Chair the closing meeting.
Audit team leaders must possess the necessary competence to facility the efficient and effective
conducting of the audit (previously knowledge and skills to manage) the audit and the competence
to discuss strategic matters with the auditee’s top management. They must also display the necessary
leadership to achieve a collaborative working relationship within the team and address any issues
within the team.
As is the case for single auditors, audit team leaders are expected to undertake regular continuing
professional development including improving their understanding and application of audit
practice and ICT.
www.quality.org | 63
Audit Client
The audit client is the individual or organization that is responsible for commissioning the audit. The
audit client may or may not be the auditee.
ISO 19011:2018 transfers responsibility for establishing the audit programme objectives to the audit
client. There are now specific considerations the audit client must take into account when they
are formulating these objectives. It is essential that the audit programme objectives align with the
strategic objectives of the auditee’s organization. Once agreed, the audit programme objectives should
be documented.
The audit client is also responsible for ensuring that the audit programme is being effectively
implemented, previously a responsibility of the auditee’s top management. They are required to approve
any changes to the programme (also previously an auditee’s role) and should be present at the closing
meeting, as appropriate, with any other interested parties.
Auditees
Auditees should expect to see a more business focussed auditor, aware of their organization’s risks and
opportunities, internal and external issues and the relevant requirements of their stakeholders. They
should expect an auditor with up-to-date skills and knowledge whose performance is being regularly
assessed in order to ensure they remain competent to audit. The auditor should be skilled in a range
of audit methods, tools and techniques and not focussed solely on reviewing documents or sticking
religiously to predefined checklists. They should witness auditors adopting a process approach to audit,
understanding the operation of the auditee’s business holistically as opposed to assessing each individual
element in isolation.
As auditors are increasingly being asked to demonstrate professional judgement, the potential for
disagreement between the auditee and the auditor in respect of audit findings is increased. As is the
case at present, auditees should be prepared to challenge the auditor where they feel that the auditor’s
decision is incorrect.
www.quality.org | 65
66 | ISO 19011:2018 | Understanding the International Standard
9. Clause Comparison -
ISO 19011:2018 and ISO
19011:2011
The following table highlights the respective structures of the 2018 and 2011 editions of ISO 19011. As
ISO 19011 is not an annex SL based management system standard, the ISO/PC302 committee was not
required to adopt the high-level structure prescribed within annex SL appendix 2.
Whilst the 2018 and 2011 editions’ structures are broadly similar, there are some important differences
as detailed in this table. These centre around the retitling and reordering of a number of the 2011
clauses in the 2018 edition, the introduction of a new sub-clause 6.4.5 - ‘Audit information availability
and access’, the deletion of the 2011 edition’s annex A and the expansion of the 2011 edition’s annex B
which now becomes the 2018 edition’s annex A.
www.quality.org | 67
ISO 19011:2018 ISO 19011:2011
Competence of individual(s) managing Competence of the person managing the
5.4.2 5.3.2
the audit programme audit programme
Establishing the extent of the
5.4.3 Establishing extent of audit programme 5.3.3
audit programme
5.4.4 Determining audit programme resources (see 5.3.6 below)
Identifying and evaluating audit
5.3.4
programme risks
Establishing procedures for the
5.3.5
audit programme
5.3.6 Identifying audit programme resources
5.5 Implementing audit programme 5.4 Implementing the audit programme
5.5.1 General 5.4.1 General
Defining the objectives, scope and Defining the objectives, scope and
5.5.2 5.4.2
criteria for a single audit criteria for a single audit
5.5.3 Selecting and determining audit methods 5.4.3 Selecting the audit methods
5.5.4 Selecting audit team members 5.4.4 Selecting the audit team members
Assigning responsibility for a single audit Assigning responsibility for a single audit
5.5.5 5.4.5
to the audit team leader to the audit team leader
5.5.6 Managing audit programme results 5.4.6 Managing the audit programme outcome
Managing and maintaining audit Managing and maintaining audit
5.5.7 5.4.7
programme records programme records
5.6 Monitoring audit programme 5.5 Monitoring the audit programme
Reviewing and improving Reviewing and improving the
5.7 5.6
audit programme audit programme
6 Conducting an audit 6 Performing an audit
6.1 General 6.1 General
6.2 Initiating audit 6.2 Initiating the audit
6.2.1 General 6.2.1 General
Establishing initial contact
6.2.2 Establishing contact with auditee 6.2.2
with the auditee
6.2.3 Determining feasibility of audit 6.2.3 Determining the feasibility of the audit
www.quality.org | 69
ISO 19011:2018 ISO 19011:2011
7.1 General 7.1 General
Determining auditor competence to fulfil
7.2 Determining auditor competence 7.2
the needs of the audit programme
7.2.1 General 7.2.1 General
7.2.2 Personal behaviour 7.2.2 Personal behaviour
7.2.3 Knowledge and skills 7.2.3 Knowledge and skills
7.2.3.1 General 7.2.3.1 General
Generic knowledge and skills of Generic knowledge and skills of
7.2.3.2 7.2.3.2
management system auditors management system auditors
Discipline and sector-specific Discipline and sector specific knowledge
7.2.3.3 7.2.3.3
competence of auditors and skills of management system auditors
Generic competence of Generic knowledge and skills of an
7.2.3.4 7.2.3.4
audit team leader audit team leader
Knowledge and skills for auditing
Knowledge and skills for auditing
7.2.3.5 7.2.3.5 management systems addressing
multiple disciplines
multiple disciplines
7.2.4 Achieving auditor competence 7.2.4 Achieving auditor competence
7.2.5 Achieving audit team leader competence 7.2.5 Audit team leaders
7.3 Establishing auditor evaluation criteria 7.3 Establishing the auditor evaluation criteria
Selecting appropriate auditor Selecting the appropriate auditor
7.4 7.4
evaluation criteria evaluation method
7.5 Conducting auditor evaluation 7.5 Conducting auditor evaluation
Maintaining and improving Maintaining and improving
7.6 7.6
auditor competence auditor competence
www.quality.org | 71
72 | ISO 19011:2018 | Understanding the International Standard
10. Acknowledgements
The CQI and IRCA would like to thank the authors, reviewers and contributors for their work
on this report.
Richard Green: (principal author)
Ian Dunlop: BSc FCQI CQP, CQI and IRCA Technical Assessor (author)
Denise Robitaille: Chair, ISO PC 302
Alexander Woods: Policy Manager, CQI
The CQI and IRCA would also like to thank Ideagen PLC for their sponsorship and support
of this report.
It exists to benefit the public by advancing education in, knowledge of and the practice of quality in
industry, commerce, the public sector and the voluntary sectors.
IRCA is a division of the CQI and is the leading professional body of management system auditors
www.quality.org
Ideagen Plc
Ideagen provides software and expertise to help the world’s leading brands to improve efficiency,
prevent undesirable events and ensure compliance by managing quality, safety, audit and every aspect
of operational risk.
With over 4,000 customers in more than 90 countries, Ideagen’s products and services are at
the forefront of quality, safety, risk, operational performance and compliance management for
some of the world’s best-known organizations including PwC, Heineken, NHS, Emirates and
Harvard University.
www.ideagen.com
Report published (September 2018) by:
The Chartered Quality Institute (CQI)
2nd Floor North, Chancery Exchange
10 Furnival Street
London EC4A 1AB
www.quality.org
Incorporated by Royal Charter and registered
as a charity. Number 259678