ISO 19011:2011 – Guidelines for Auditing Management Systems John Coady Chief Audit Manager © FSAI ISO 19011:2011 – Guidelines for Auditing Management Systems • Second edition of ISO 19011:2011 Cancels and replaces the first edition (ISO 19011:2002), which has been technically revised • Main differences are as follows: Scope Relationship between ISO 19011 and ISO/IEC 17021 Remote audit methods Concept of risk Confidentiality Clauses 5,6 & 7 reorganised Annex B – additional information Competence determination & evaluation process strengthened • Annex A – discipline-specific knowledge & skills • ISO public website (www.ISO.org/ISO19011Auditing) • • • • • • • • © FSAI Scope • Scope has broadened to provide guidance on auditing management systems rather than auditing quality and environmental management systems • Annex A illustrates the application of the guidance in Clause 7 (Competence and Evaluation of Auditors) to different disciplines • Title of Standard amended in line with new scope © FSAI Relationship between ISO 19011 and ISO/IEC 17021 Internal Auditing Sometimes called First Party Audit External Auditing Supplier Auditing Third Party Auditing Sometimes called Second Party Audit For legal, regulatory and similar purposes* *See also the requirements in ISO/IEC 17021:2011 © FSAI Remote Audit Methods • Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance - on-site activities are performed at the location of the auditee • The feasibility of remote audit activities can depend on the level of confidence between auditor and auditee’s personnel • It should be ensured that the use of remote and on-site application of audit methods is suitable and balanced, in order to ensure satisfactory achievement of audit programme objectives © FSAI Concept of Risk • ISO 19011:2011 introduces the concept of risk to management systems auditing • The approach adopted relates both to the risk of the audit process not achieving its objectives and to the potential of the audit to interfere with the auditee’s activities and processes • ISO 19011:2011 does not provide specific guidance on the organisation’s risk management process, but recognises that organisations can focus audit effort on matters of significance to the management system © FSAI Confidentiality New Principle of Auditing in Clause 4 Confidentiality: security of information • Auditors should exercise discretion in the use and protection of information acquired in the course of their duties • Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interest of the auditee • Concept includes the proper handling of sensitive or confidential information © FSAI Clauses 5,6,7 Reorganised • Clause 5 - Provides guidance on establishing and managing an audit programme, establishing the audit programme objectives, and coordinating auditing activities • Clause 6 - provides guidance on planning and conducting an audit of a management system • Clause 7 - provides guidance relating to the competence and evaluation of management system auditors and audit teams © FSAI Annex B - Removal of Help Boxes • ISO 19011:2002 provided supplementary guidance or examples on specific topics in the form of practical help in boxed text. In some instances, this is intended to support the use of this International Standard in small organisations • The help boxes have been removed in the ISO 19011:2011: Some information has been moved to new Annex B Some information has been incorporated into the text Some information is no longer included e.g. examples of audit programmes • Annex B contains extra information e.g. additional guidance on conducting a document review © FSAI Competence Determination and Evaluation Process has been Strengthened • Clause 7 provides guidance relating to the competence and evaluation of management system auditors and audit teams • The evaluation should be conducted using two or more of the methods selected from those in Table 2 of Clause 7.4 i.e. Review of records Observation Feedback Testing Interview Post-audit review ISO 19011:2002 stated that evaluation should be undertaken using 1 or more of the methods above © FSAI Annex A - Discipline-Specific Knowledge & Skills • • • • • • • Illustrative example of discipline-specific knowledge and skills of auditors in: Transportation safety management Environmental management Quality management Records management Resilience, security, preparedness and continuity management Information security Occupational health and safety management © FSAI ISO Public Website More information has been made available on an ISO public website (www.ISO.org/ISO19011Auditing). © FSAI © FSAI